Expert Weighs in on Ransomware, Cybersecurity

Security is a process and there’s a set of activities that every organization needs to do.

by Samantha Christmann, The Buffalo News (Buffalo, N.Y.) / November 7, 2016
Major data breaches have affected Medicaid, DMV and school district information systems. Shutterstock

(TNS) -- Dave Newell has been keeping computers secure since before information security even existed as a defined profession. As founder of East Aurora-based cybersecurity firm Loptr LLC, he’s at the forefront of the field today.

He got his start as a U.S. Air Force officer in the Pentagon’s 7th Communications Group. In 1995, he started Denver-based Crave Technology before joining Computer Task Group in 2005, where he led an information security consulting group. He has a bachelor’s degree in computer systems and mathematics from Grove City Colllege in Pennsylvania.

Q: How did you end up at the Pentagon and what did you do there?

A: I had an Air Force ROTC scholarship when I graduated from high school. In the Air Force you can kind of request what base you want to go to and the Pentagon had more computer slots than any other base in the world, so I opted to go to the Pentagon because I wanted to make sure that I got to work with computers. The 7th communications group was basically 1,100 people who were the IT staff for the Air Force at the Pentagon.

Q: What is it about computers and security that you enjoy?

A: I think one of the things I think I like about computers is there’s a lot of precision to it. There’s this ability to design things, to create something and have it operate the way you designed it. So you can write a computer program and see it actually functioning. But along with that there’s a creative aspect to it. So it’s kind of this combination of the science of computer programming or network design and the creativity of being able to create a piece of software that meets somebody’s needs or a graphic that really is compelling for folks.

Q: The information security industry is pretty new.

A: At the Pentagon, my primary responsibility was a set of computers that ran in a data center that ran the secret portion of the Air Force budget. But I also helped manage some unclassified systems that were used for basic automation for the Air Force.

Those systems were basically just connected to the internet. There were no firewalls, there was nobody who was doing security. At this point, the threats were different, there weren’t really any bad guys that we were worried about.

Most hackers we had to worry about were kids in college. One of the things we would see is that hacking activity against these systems would actually increase over summer vacation, Christmas vacation, spring break, because that’s when kids would be home and they would be doing hacking.

At this point, computers were just connected to the internet. There wasn’t much in the way of security, we just had to rely on a few settings on the system and there weren’t any security professionals. And then what happened was you started to get people within the network groups and the systems groups who started to pay attention to what was going on and look at how we could prevent those attacks

Then in the 90s as the internet becomes something that businesses use, there was a change in threats. Suddenly there was an opportunity for people to break into systems and do more than just entertain themselves. So with that came an evolution of security professionals like me who moved from being interested in security to doing security as our full-time job.

Q: What do you do at Loptr?

A: For us the focus is really on helping people understand that security is a process and there’s a set of activities that every organization needs to do. The most interesting thing we do I think is penetration testing where we go into an organization and either break into a computer system or an application or a network or we actually will go into somebody’s facility and test their physical security to help them find weaknesses. It’s probably the sexiest part of what we do because it’s us going in as bad guys and trying to compromise an organization, so that organization can learn from what we’ve done and improve their defenses.

Q: There have been local cases of hackers holding companies’ computers systems for ransom, locking businesses out of their computers until a ransom is paid. How does that work?

A: That’s pretty common these days. The thing ransomware does for an attacker is it gives them an easy way to monetize their attack. So when you look at the college kids that 25 years ago were breaking into systems, they couldn’t gain anything financially from it because there was no way to make money off of it, so they were just hacking as a hobby. So for the regular consumer who’s out there and has a computer connected to the internet, ransomware gives the bad guy a way to cheaply gain access to their money by basically getting to their computer, encrypting all their files to they’re not accessible, and then requiring a ransom in order to decrypt the files.

So the way ransomware happens is a bad guy will send a phishing attack – an email with a bogus link in it or an attachment that if somebody clicks on it, It will infect your computer – the victim clicks on the link and goes to an evil website or they click on a file and the file runs and installs ransomware. The ransomware goes through the entire hard drive and encrypts files and then displays a message that the files have been encrypted and asks for payment which usually is in Bitcoin, to get their files back.

What’s different when you get into businesses is that the ransomware will not just go to the computer that’s been infected, it will move throughout the network and look for other files that are shared from servers and encrypt those files as well. So what you’ll see is, one victim gets hit by ransomware on a corporate network and the next thing you know, every system that user could connect to is infected as well.

Q: It has happened here, right?

A: It definitely has happened in Western New York. It’s a pretty widespread issue. It’s not widely reported partly because in many cases, businesses that are affected by ransomware clean it up and move on with their lives. They don’t necessarily have to report the ransomware infection because it typically doesn’t involve a breach of data.

Q: How much do they usually demand?

A: It varies. It depends on how much Bitcoin is exchanged for at the time. For consumers, it might be a Bitcoin or a fraction of a Bitcoin, so it might be $500 to $1,000. For businesses, there’s been some press that’s talked about million-dollar requests but I think most of the ransoms we see could be over $10,000 but they’re not dramatically large in terms of what they’re asking.

Q: Are there other crazy, futuristic things going on out there that we’re not hearing about?

A: One thing we tend to not understand is that so many of the devices we have are computers and they’re connected to networks. Your refrigerator, lights, smoke detector are all connected to the internet and there can be some risk with that. During one of our penetration tests, we were working a client’s network, looking for ways to break in and we ended up finding a printer on the company’s network and it was insecure. Once we gained access to the printer, we used it to get access to a systems administrator’s account for the entire organization.

Q: I had no idea our IT guys were doing such cool stuff.

A: They are totally doing cool stuff.

©2016 The Buffalo News (Buffalo, N.Y.) Distributed by Tribune Content Agency, LLC.