Are our US Cities under attack right now?  Sure seems like it given the number of cities in the news that have been taken down with Ransomware attacks.

Ransomware attacks against organizations are never going away, and attacks against government institutions seem to be an easy target, and an easy way to make money for some.

In a quick 5 minute search on google, I located 13 Government run networks that were taken down/breached recently with Ransomware.

• Riviera Beach, Fl
• City of Baltimore
• Greenville, N.C.
• Lake City FL
• Atlanta GA
• Port of San Diego
• MUSCATINE, Iowa
• West Haven CT
• The City of Farmington NM
• City of Albany
• Del Rio, Texas, 
• Palm Beach County village 
• Jackson County

I have a read a few articles that actually put that number higher, more than 50 government run (City, County, State, Federal) networks that were ill prepared, not up to date, and clearly not being monitored by anyone. All of them breached with Ransomware.

Some have elected to pay the ransom, others (like Baltimore) decided not to do so, and now are spending millions of dollars to recover. There was even talk about asking FEMA to assist them.

In the recent case of Riviera Beach, they knew their systems were antiquated, had gone to the city council on Feb 20 2019 asking to spend $798,419.00 to purchase a new backup system. The council approved it that night, but it was never installed.

All of them have something in common, besides being a tax payer funded government, and that is basic precautions were not taken, including monitoring.

With the recent announcement from the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) regarding the large increase of attacks from Iran specifically, all organizations should look to better monitor what is occurring 24/7 on their networks and systems. Something as basic as reviewing logs 24 hours a day can go a long way in mitigating threats.  This of course is something we do as part of our MDR & Threat Hunting services we offer for hundreds of customer right now, including governmental organizations.

 

Last week, on Thursday morning, I started to see what I call the first real shots being fired in the Cyber War of 2019 with Iran.  I thought I would write down a few thoughts I have regarding the situation in general.

 

For the past 18 months we at Milton Security had been tracking certain types of activity that we knew for certain or believed to be from Iran, across our customers. The types of activity ranged from simple to elaborate phishing attempts, password spray attempts (and successes in the cases of a few firms we know of including Citrix, which was made public). We also know of and tracked some counter developments.

 

In addition there is a possible double agent within Iran, who is dissatisfied with what was occurring, and has a grudge against the Iranian government. This individual has been releasing information, including doxing individuals in the Iranian government, and its defense contractors. They have listed out targets, tools and techniques used by the Iranian Cyber teams on Telegram.

 

When the drone was shot down by the Iranians, we knew this was going to escalate cyber activity against US targets. I am still trying to make sense of all the information around the downing of the drone. A few possibilities I have seen over the past 48 hours :

 

1. Our drone was in international waters and Iran struck it down
2. Our drone was in Iranian waters and Iran struck it down
3. Our drone was in international waters, Iran jammed the GPS on the drone which made the drone go off course into Iranian territory
4. Our drone was in international waters and a third party jammed the GPS on the drone which made the drone go off course in Iranian territory

 

Iran also stated that it had our Navy P-8 plane, which was monitoring the drone, in its sights and decided not to fire at it, since it had US Navy personnel onboard.

 

Now, I am not an expert in strategy or military operations, but knowing a little bit on how the US Navy and the US Coast Guard do operations, I do see the US Navy flying right along the demarcation line, much like we send US Navy and US Coast Guard vessels along the same line, to show there is an international presence, and do what’s called Freedom Of Navigation.  This ensures that commerce can go unimpeded.  This is also done frequently in the South China Sea contested areas as well.

 

This is also how the US Navy Riverine Boats were captured by the Iranians in 2016.  Running along the boundary and one of the vessels becoming dead in the water.  Was this also a case of GPS issues?

 

When President Trump decided at the last moment not to retaliate with weapons, this confused the Iranian side and it confused the American press.  It gave the Iranians time to regroup, and re-assess their defense against possible missile strikes. Wether this was a true case of having second thoughts of potentially killing 150 Iranian military and civilian personnel, or was it part of the plan, I guess depends on how you view this administration.

 

After the drone was struck down the US was able to accomplish retaliatory cyber strikes against Iranian computers systems that control their missiles and radar sites.

 

Since Thursday, our team at has seen the intensity of attempts increasing from potential Iranian backed actors. And this is not the end, just the beginning, of the Cyber War with Iran. The Whitehouse is looking to expand its cyber toolset, with greater flexibility in using cyber attacks.

 

This week is lining up to be very interesting. Tomorrow, President Trump said he will apply new sanctions against Iran, and Iran has stated they will bypass the nuclear 300 kilogram limit within 4 days.

Sunday afternoon thoughts :

As a parent to two daughters, I am always concerned about interactions with apps.  What data do these applications actually collect, are they safe for general use, etc.

Today I thought I would look at TikTok, a popular application.

(link https://en.wikipedia.org/wiki/TikTok)

I set about this task :

1. I setup my MacBook to share its WiFi connection to the LAN.
2. I reset an iPad
3. Connected to WiFi on MacBook from iPad
4. Downloaded the TikTok application
5. Ran packet capture during the setup of the account for TikTok

For a comparison I had one of my daughters use her iPhone/TikTok and captured that data as well.

While most of the transactions that occur with TikTok are in fact TLS, there are a couple of things when the application starts up that is not.

Do you see an issue with these?

What do you see that should be of concern?

In addition to these non-TLS packets of data, Whenever there is a a new video played, some or all of it is actually sent without TLS/SSL.

This is from 15 minutes of reviewing.  From first glance they use OpenUDID which I thought was closed down in 2015.

 

 

 

 

One of the things I really enjoy is taking part in the introductory meetings with our sales team. During these meetings I get a lot of firsthand knowledge about what firms are doing currently in securing, monitoring and remediating their infrastructure.

However, one of the most discouraging things to occur happened recently. I got to talk to a firm with over 2,500 employees/contractors spread across 10 offices in the US. This particular organization tells me they don’t have a security team per se, more like an ad-hoc group of IT personnel that also do security.

They outline that besides the ransomware that has occurred a few times in the past year, they believe they are totally secure because nothing else has happened to them, despite the fact that they have no standard policies and procedures, and their 8-year old SonicWalls have never been updated. They believe they’re secure especially since they passed their last visit by a QSA and their PCI Audit/Certification.

They see a need for a service like what Milton offers (Managed Detection and Response), but since they don’t look at their logs now anyway, and they haven’t needed to in the past, they do not think they will look at this until CY 2019 as they have a new office opening and have to do PC Upgrades and new office furniture.

Of course, if the reason they gave me was, “Oh we went with your competitor,” I would have walked away knowing that, phew, at least they understand this is needed, and they went to someone who will give them a level of MDR above what they have currently.

It certainly feels upside down when organizations prioritize Security and Risk Mitigation below  new computers and new desks.

 

So, I decided some time ago to start putting my musings and rambling thoughts in a central location.

Read on if you want to be bored by talk of Bourbon, Whiskey, Infosec, Veteran issues, Small Business issues, and general thoughts.