Expert: We Are Not Learning Enough From Cyberattacks

A former tech executive is troubled that the frequent cyberattacks that have hit businesses and local government entities do not seem to be sparking a wave of learning and improvement in their aftermath.

by Mason Dockter, Sioux City Journal / March 3, 2020
Shutterstock

(TNS) — One of the things that troubles Rob Cheng about the frequent cyberattacks that hit businesses and government entities, including incidents in Siouxland, is that nobody seems to learn much from them.

"The reason why this keeps on happening is that, we're not learning from every attack. We're not getting better. And, so it just keeps on getting worse," said Cheng, CEO of antivirus software company PC Matic.

Cheng, a former executive at Gateway computers in North Sioux City, talked to The Journal on Wednesday after meeting with Iowa Attorney General Tom Miller about cybersecurity issues earlier in the week.

The city of Wayne, Nebraska, fell victim to a ransomware attack on Feb. 18. Their files were encrypted and their computer-based systems went down. The hackers demanded a shockingly high price to release the files -- $500,000.

In December, the city of Sioux City was notified by a third-party vendor "that alterations to the vendor’s application code could have enabled the unauthorized copying of payment card information from the City’s Internet browser window during certain payment transactions," according to a letter the city sent to residents.

In all, 3,563 of the city's parking ticket and utility billing system customers were impacted -- their name, address, payment card number, expiration date, and CVV potentially exposed. It's not known precisely what type of software security measures the city or its third-party vendor had in place, as the city's main IT person was not available to comment on the situation at the time of this writing.

Two Sioux City eye clinics separately fell victim to ransomware attacks within months of each other in late 2018 and early 2019, one of which might have exposed the personal health information of some 40,000 patients.

There have been much bigger incidents elsewhere. During the past several months, Louisiana Gov. John Bel Edwards has declared and later renewed a state of emergency repeatedly after the state's Office of Motor Vehicles and other state entities fell victim to cyberattacks.

In 2019 the city of Baltimore fell victim to a massive ransomware attack -- and oddly enough, the hackers in that case demanded only around $75,000, less than a sixth of what was demanded of Wayne. The Baltimore Sun reported that the attack cost the city an estimated $18.2 million in all, though the city refused to pay the ransom.

In a traditional ransomware attack, an attacker remotely encrypts (scrambles the information, turning it into a hard-to-decipher code) a victim's computer files and demands payment to remove the encryption. The payment almost always is demanded not in dollars but in Bitcoin, a crypto-currency that's virtually impossible to track. Bitcoin prices ebb and flow compared to dollars, and the dollar value of the 13 Bitcoins demanded by the Baltimore hackers later inflated to around $100,000, according to NPR.

Ransomware traditionally has infected computer systems through emails, though Cheng said that more recently, another ransomware method -- something called RDP, or remote desktop protocol -- began to appear on the radar.

RDP was intended as a means to do legitimate remote maintenance on networks, and is still used as such. But RDP was built by humans, and as such, other humans found a way to manipulate its flaws.

And then there's a whole new ransomware program called "Sodinokibi," which is even more insidious than its predecessors. It encrypts files and asks for a ransom, which is standard ransomware practice, but it also steals the files.

"If you don't pay the ransom, they're gong to start leaking the files out," Cheng said.

The city of Wayne said it did not yet know how exactly the ransomware made its way into the city's systems.

"We don't know for certain, and probably never will," said Wayne City Manager Wes Blecke. "We're definitely still dealing with it."

The city has reached out to the FBI and the Nebraska State Patrol, and they have the National Guard on-call to examine their system. The FBI did point out some of their system's vulnerabilities -- vendors having access to their system, employees working on computers from home and so-called "phishing" emails.

"We definitely need to do a better job of looking at those vulnerabilities," Blecke said.

Blecke said his own work computer uses McAfee antivirus software, but he couldn't say what the rest of the city uses for antivirus protection.

Paying the half million-dollar ransom was never really considered as an option for the northeast Nebraska city during the attack. Fortunately the city kept backup files -- recorded on old-fashioned tapes -- and they only lost about 10 percent of their data, give or take, after wiping their system clean and re-installing the lost data.

"That's an incredibly high ransom amount, is what I've been told," Blecke said.

Cheng said paying a ransom is never a good idea, for obvious reasons. Yet, sometimes desperate victims comply with the hackers' demands -- and it doesn't help that some entities have obtained insurance policies that will pay the ransoms.

"People are paying the ransoms. When you pay the ransoms, then you're almost guaranteeing that they're going to come back, and they do," he said.

It's rare for perpetrators of ransomware attacks, and indeed most cybercrimes, to ever face charges.

"That's part of the reason why it's growing, is because they know they're not going to get caught," Cheng said.

Crypto-currency, with its many layers of secrecy and anonymity, goes a long way in ensuring the perpetrators are never apprehended.

While little is known in general about most perpetrators of cybercrimes, Cheng said they generally operate internationally.

"It's not Americans hitting Americans. This is clearly a foreign thing," he said. "And all of it is coming from countries that the United States does not have extradition (agreements with)."

Cheng wants the public to focus more on the holes and weaknesses that exist in the current cybersecurity paradigm.

Being smart about passwords is one oft-repeated way to shield yourself from cybercriminals -- using the same password for everything, including your work, banking, social media, online shopping and elsewhere, is ill-advised. If hackers can figure out the password used on one site, they have the key to all of them.

Yet a poll released in 2018 found that 59 percent of people use the same password everywhere.

"Stop doing that, stop it," Cheng said of using only one password. "They know your personal passwords."

At some point in the future, Cheng is hopeful computer programming will patch up the security holes, guarding against human follies and malevolence.

One idea he floated is a "VIN number" for computers -- an immutable number, like the VIN of a car, that identifies each computer. The current equivalent of that, the IP address, is too easy for criminals to circumvent.

"In the long run, I believe that we're going to have to create a new generation of computing that does everything we want, but is also secure. Fundamentally built to be secure so these things don't happen," he said.

©2020 Sioux City Journal, Iowa, Distributed by Tribune Content Agency, LLC.

Platforms & Programs