- The Strategist - https://www.aspistrategist.org.au -

Cyber wrap

Posted By on May 17, 2017 @ 14:15

This week one of the largest ransomware incidents to date, ‘WannaCrypt’ or ‘WannaCry’, affected the operations of at least 300,000 machines worldwide [1], encrypting and locking victims out until a Bitcoin ransom equivalent to US$300 was paid. It affected the operations of about [2] 40 hospitals and other health organisations in the UK, as well as major infrastructure [3] companies and government agencies across Europe. Australia appears to have escaped the worst of it [4], with some businesses affected but no major disruptions to critical services. The incident has prompted the usual calls to patch software and update anti-virus services [5].

UK malware researcher @MalwareTech [6], became an accidental hero [7] when he registered a domain name found within the WannaCry malware which acted as a ‘kill switch [8]’ for the virus. Not a bad return on a US$10.69 investment. Despite the unexpected relief, variants without [9] the switch have since popped up. Brian Krebs [10] estimates that people have coughed up US$26,148 so far—a paltry return considering the damage done. By comparison, CryptoWall raised US$325 million [11] in 2015. Efforts to uncover those behind WannaCry are in full swing, with some early signs suggesting a North Korean connection [12].

WannaCry has capitalized on a vulnerability that was part of the cache of NSA [13] tools leaked by Shadow Brokers in mid-April [14]. Microsoft patched the vulnerability in March (MS17-010 [15]), and has this week released further patches [16] for unsupported operating systems such as Windows XP. The episode has re-ignited calls from Microsoft for a Digital Geneva Convention [17], and prompted the company to clip the NSA over the ears [18] for stockpiling these vulnerabilities. However, these altruistic measures from Microsoft, and continuing calls to ‘just patch [19]’ don’t fully consider the difficulty of doing so [20]. Most organisations don’t and didn’t have the resources [21] to update their systems to the latest and most secure versions of Windows. On the other hand, this vulnerability was a security defect in the product that Microsoft put out, yet, under current software licensing law, they’re not held liable [22]. Commentators are questioning why the current incentive structure is for hospitals to take on the costs of paying licensing fees every half-decade to buy security features we expect as a given of any other product.

After a significant delay [23] President Trump has finally signed [24] an executive order to strengthen the cybersecurity of critical infrastructure and federal computer networks. In good news, the order doesn’t appear to be a total car wreck [25], with Wired calling it ‘refreshingly even-keeled’ [26]. It calls for numerous reviews to be completed within 90 days, and has a strong focus on accountability, aligning cyber risk management with budgets, and taking action to replace legacy systems. It has also addressed issues including international cooperation, workforce development and threats to the defence industrial base. The order has found some support in Congress [27], but Senator John McCain called for more urgent action in finalising a national cybersecurity strategy stressing there was no need for ‘more assessments, reports and reviews.’ Progress may also be further slowed by the lethargic pace of recruitment [27] of senior government cybersecurity officials.

There was also Congressional support [27] for the mandatory application of the NIST cybersecurity framework also included in the executive order [28]. NIST have this week issued [29] their revised set of standards for password best-practice, reversing previous requirements for scheduled password changes and combinations of upper case, lower case letters, numbers and symbols and replacing them with more ‘human-friendly [30]’ requirements that reject previously-compromised passwords. This could include emoji passwords if the user so desires.

The recent Federal Budget contained a couple of interesting cyber-related initiatives. A new Cyber Security Advisory Office (CSAO) will pop up in PM&C’s Digital Transformation Agency (DTA). Funded to the tune of $10.7 million over the forward estimates [31], the CSAO is the government’s response [32] to recommendations from #censusfail [33] investigations. The Office is tasked with acting as the ‘single, comprehensive source of truth to which agencies can turn to’ for cybersecurity expertise. Aspirational…

The DTA is also set to lead broader IT procurement and projects, including hosting a ‘Digital Investment Management Office’ and a ‘Digital Marketplace’. The Agency will control a $129.6 million ‘Modernisation Fund’ that will focus [34] on modernising agencies, upgrading cultural centres, and consolidating APS-wide IT, finance, and human resources functions into six corporate service hubs. The Fund will also seek to open up government data for public use through [35] the Data Integration Partnership of Australia.

Finally, the Budget has earmarked funds for the DTA to kick off [36] GovPass, a scheme to build a trusted digital identity framework for government services. That’s a lot of projects for an agency that had its future called into question [37] as recently as February this year.

Article printed from The Strategist: https://www.aspistrategist.org.au

URL to article: https://www.aspistrategist.org.au/cyber-wrap-164/

URLs in this post:

[1] 300,000 machines worldwide: https://intel.malwaretech.com/botnet/wcrypt

[2] about: http://www.bbc.com/news/health-39899646

[3] major infrastructure: http://www.reuters.com/article/us-spain-cyber-idUSKBN1881TJ

[4] escaped the worst of it: http://www.news.com.au/national/breaking-news/aust-may-have-missed-worst-of-cyber-attack/news-story/6bd1db9038ea8f437b944b29abf6c2ab

[5] patch software and update anti-virus services: https://www.ncsc.gov.uk/news/latest-statement-international-ransomware-cyber-attack-0

[6] @MalwareTech: https://twitter.com/MalwareTechBlog/status/863187104716685312

[7] accidental hero: https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

[8] kill switch: https://www.technologyreview.com/s/607872/the-wannacrypt-ransomware-attack-couldve-been-a-lot-worse/

[9] without: https://www.itnews.com.au/news/new-wannacrypt-variants-emerge-461854

[10] Brian Krebs: https://krebsonsecurity.com/2017/05/global-wana-ransomware-outbreak-earned-perpetrators-26000-so-far/

[11] CryptoWall raised US$325 million: http://thehackernews.com/2015/10/cryptowall-ransomware.html?utm_source=&utm_medium=email&utm_campaign=8760

[12] suggesting a North Korean connection: https://www.wired.com/2017/05/wannacry-ransomware-link-suspected-north-korean-hackers/

[13] cache of NSA: https://www.itnews.com.au/news/wannacrypt-ransomware-what-you-need-to-know-461717

[14] mid-April: https://theintercept.com/2017/04/14/leaked-nsa-malware-threatens-windows-users-around-the-world/

[15] MS17-010: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

[16] patches: https://www.itnews.com.au/news/microsoft-releases-wannacrypt-patch-for-windows-xp-server-2003-461640

[17] Digital Geneva Convention: https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/#sm.00011ob298rjufrosze1yfaa6g7a7

[18] clip the NSA over the ears: https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.0001nbiglr184teelx7fjkiwlq87z

[19] just patch: https://www.lifehacker.com.au/2017/05/wannacry-is-what-happens-when-you-dont-patch-or-update-software/

[20] difficulty of doing so: https://tante.cc/2017/05/15/dont-just-update/

[21] didn’t have the resources: https://www.theregister.co.uk/2016/04/22/healthcare_insecurity/

[22] not held liable: https://www.nytimes.com/2017/05/13/opinion/the-world-is-getting-hacked-why-dont-we-do-more-to-stop-it.html?_r=1

[23] significant delay: https://techcrunch.com/2017/05/11/trump-signs-long-delayed-executive-order-on-cybersecurity/

[24] signed: https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal

[25] car wreck: https://techcrunch.com/2017/05/13/trumps-cybersecurity-executive-order-is-a-good-first-step/

[26] ‘refreshingly even-keeled’: https://www.wired.com/2017/05/security-news-week-trumps-cybersecurity-executive-order-looks-pretty-good/

[27] some support in Congress: http://thehill.com/policy/technology/333039-congress-offers-some-early-praise-of-trumps-cyber-executive-order

[28] mandatory application of the NIST cybersecurity framework also included in the executive order: http://www.lexology.com/library/detail.aspx?g=62210c70-a3a4-4719-ac8f-29fa782d0282

[29] issued: http://www.csoonline.com/article/3195181/data-protection/vendors-approve-of-nist-password-draft.html

[30] human-friendly: https://xkcd.com/936/

[31] tune of $10.7 million over the forward estimates: http://www.zdnet.com/article/budget-2017-dta-to-establish-au10-7m-cybersecurity-office/

[32] response: https://www.computerworld.com.au/article/618967/budget-2017-government-creates-new-cyber-security-office/

[33] #censusfail: https://twitter.com/hashtag/censusfail?lang=en

[34] focus: http://www.zdnet.com/article/budget-2017-government-outlines-digital-transformation/

[35] through: http://www.themandarin.com.au/78798-aps-modernisation-first-spend/

[36] kick off: https://www.computerworld.com.au/article/618962/budget-2017-old-it-new/

[37] question: https://www.itnews.com.au/news/is-there-a-future-for-australias-digital-transformation-agency-448074#disqus_thread

Copyright © 2024 The Strategist. All rights reserved.