Juha Saarinen: When will these mega hacks end?


Another week, another really serious mega hack affecting many thousands of companies and people. Apologies if I’m being repetitive, but recent exploitation of Microsoft Exchange Server vulnerabilities, attributed to Chinese state hackers Hafnium, are again as bad as it gets.

Some of the reporting around the hacks has been off the tracks. To clarify, there are vulnerabilities in Microsoft’s Exchange Server, which is a software application that’s used for sending and receiving email, to store messages, and to manage contacts and calendaring, among other things.

It’s not email providers like Hotmail and Outlook.com that were hacked. Unlike the standalone Exchange Server used by businesses and other organisations, the online mail providers are not affected by the vulnerabilities, Microsoft says.

The four vulnerabilities are used in sequence as an attack chain that issues authentication commands and unexpected input that should be rejected, but instead makes un-patched Exchange Servers go “Open Sesame!” and provide hackers access to the data they contain.

And, once they’re in the servers, attackers can leave behind malware, backdoors and maybe move further into the network.

Experts are still fine-tuning their scanning scripts to check if there really are over 260,000 vulnerable Exchange Servers out there on the internet. Even when taking out the false-positives, there are bound to be many thousands of internet-connected servers out there, many of which won’t be patched fast enough, and some not at all.

That last bit is important: researchers in Taiwan found the vulnerabilities in December and assembled them into an attack chain that was reported to Microsoft in January. Patches were developed and released on March 3.

The same day, other researchers in Washington DC detected attacks using the vulnerabilities.

Even if admins patch now, they’ll need to check very carefully that their servers haven’t already been exploited, with stealthy malware planted on them. American cyber security authorities’ advice to unplug hacked servers from networks is sound in that context.

Over the past months we’ve seen critically important organisations like the Reserve Bank of New Zealand being hacked; in some cases it’s down to simple flaws in code, in others more elaborate methods employed carefully over a long period of time, as with the SolarWinds security monitoring software hacks.

Either way, the effects are devastating with huge financial losses, privacy breaches for years to come thanks to personal information leaking out, and yes, national security could be undermined as well.

How we put an end to it, let alone limit the spate of hacks that look set to continue isn’t clear.

One remedy of sorts would be to only use services from the giant cloud providers which have big, experienced security teams that monitor systems and networks with advanced software tools.

However, even big providers can get “popped” as the cyber security jargon goes. When that happens, the damage can be much more serious due to the sheer number of accounts that can be exposed, compared to smaller organisations.

Making security a Big Tech Co’s problem is a passive and reactive approach that doesn’t address the root cause of the issue.

Nor is hoping the good people, security researchers, will find flaws and that patches will be developed, tested, distributed and deployed before nation-state black hats and ransomware raiders hit your systems a viable approach anymore, as recent experience has shown.

Every now and then you hear of police patiently unravelling hacker gangs which seem as prone to making mistakes and being careless as the rest of us. The Dutch cops especially have built quite a reputation here, but getting hacked and having the police forces hack back is that ambulance at the bottom of the cliff again.

There needs to be some high costs loaded onto hacking and not on users who are struggling to keep up as it is. A while ago, an idea was floated in Internet Overlord circles that it should be expensive to exchange traffic with certain countries that are known to harbour and even employ cyber attackers.

This could direct traffic charges, or requiring steep insurance premiums of providers, and a reduced number of internet exchanges (no, those things are not Microsoft related)

where rogue nations hook up with the rest of the world.

The US has started thinking along those lines, but unfortunately, Western nations are playing both sides here and don’t necessarily want to cut off their access to networks and systems in Cyber Mordor.

While we wait for fresh thinking on cyber security, keep your stuff up to date, with visibility of it all, and take unneeded data (you’d be surprised how much of that there is) offline. If you can’t do that, prepare to get popped. Well, you’ll probably be hacked anyway, but it’s a nice, warm feeling that at least you tried to prevent it.

Source: Read Full Article