Cyber Security Today, Week in Review for the week ending March 17, 2023

Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, March 17th, 2023. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

In a few minutes David Shipley of Beauceron Security will be here to talk about recent cybersecurity news. But first a look at some of the headlines from the past seven days:

A Canadian parliamentary committee looking into threats from Russia issued a report with a number of cybersecurity recommendations for the federal government. David knows about this committee very well because he testified before it, so will have some insight.

We’ll also talk about Parliament’s national defence committee, which is in the middle of cybersecurity hearings of its own, heard a witness calling for the federal government to better support Canadian cybersecurity companies when it looks for products.

The government of Newfoundland and Labrador issued a report on the 2021 ransomware attack on the provincial healthcare system. Among the findings: A compromised username and password started the attack.

And David will have thoughts about the increase in phishing attacks we’re seeing after the collapse of Silicon Valley Bank in the U.S. and Canada.

In other news, authorities in the U.S. and Germany took down ChipMixer, a cryptocurrency mixing service used by crooks to launder currency. It is believed the service processed over US$700 million in stolen bitcoin and US$17 million in ransomware payments. A Vietnamese resident was also charged in the U.S.

A Florida website design and hosting company has agreed to pay US$293,000 to settle allegations it failed to secure personal information for one of its customers. That customer was a children’s health insurance website called HealthyKids.org. The federal government alleged the provider, Jelly Bean Communications, didn’t properly maintain, patch and update its software systems. In 2020 HealthyKids.org was hacked and then forced to close.

Two people have been charged in the U.S. with using a stolen police officer’s password last year to get into a law enforcement agency’s web portal. The pair then allegedly threatened people listed on databases that information about them would be publicly released unless they were paid. Cybersecurity reporter Brian Krebs says the portal belonged to the U.S. Drug Enforcement Agency. The portal links to 16 federal law enforcement databases. The two accused allegedly belonged to a data theft and extortion group called ViLE.

Russian-based cyber threat actors have gone after 74 countries since the start of the invasion of Ukraine. That’s according to an analysis by Microsoft of Russia’s cyber tactics. The most targeted country outside of Ukraine itself was the United States, followed by Poland, the U.K. and other European countries, and Canada.

Separately, Microsoft warned firms running Outlook for Windows there’s a serious security vulnerability that needs patching.

More companies are admitting to being victimized by the compromise of the GoAnywhere MFT managed file transfer service. The latest are Canadian asset manager Onex Corp. and Rubrik, a U.S.-based data recovery platform. The Clop ransomware gang is taking responsibility, claiming it has data on 130 victim organizations.

Finally, sometimes it’s the small unpatched applications that kill you. Here’s the latest example: A three-year-old unpatched vulnerability in an application development platform called Progress Telerik allowed several threat actors to recently hack into a U.S. government agency’s web server. That’s according to U.S. cybersecurity authorities. The advisory doesn’t name the civilian agency that was hit. You cannot avoid being victimized like this if you don’t have a full inventory of all the applications your staff uses.

(The following is a transcript of one of the news items David Shipley and I discussed. To hear the full talk, play the podcast)

Howard: In this week’s session we’re going to deal with cyber security news coming out of two Canadian parliamentary committees. First, the Public Safety and National Security committee issued a report on the security threat from Russia. This investigation was launched right after Russia’s invasion of Ukraine a year ago. Many of the 21 recommendations dealt with cyber threats and misinformation. Among the witnesses who testified was you. Among the recommendations are operators and businesses that connect to Canadian critical infrastructure should have the cybersecurity expertise and resources to defend against and recover from malicious cyber activity from any source; that [government set] cybersecurity standards are met and report on; that the federal government broaden the tools used to educate small and medium-sized businesses about the need to adopt cyber security standards; and that the federal government give incentives for small and media businesses to invest in cybersecurity. What did you think of this report?

David Shipley: Overall I was thrilled to see a number of recommendations that I made in my testimony make it into the final report, particularly the idea of increasing funding for small and mid-sized businesses through tax credits as well as expanded grant. Because when you think about small mid-sized businesses in Canada coming out of the pandemic with record high debt levels they just can’t afford cybersecurity. We know that up to 50 per cent of Canadian micro and small businesses aren’t spending anything on cybersecurity today. So I think this would be a win-win for government from an economic and a national security standpoint, and a win for small businesses.

Howard: But it struck me that many of these recommendations are very general. Does that help the government?

David: They are very general, and there were some specific points that I had raised in my testimony that that didn’t get the bite I was hoping for, particularly things like actually having a standard for companies that sell to the federal government — a basic hygiene standard similar to the Cyber Essentials program in the U.K. I suspect that it’s part of the committee process where you’ve got government and opposition members having to compromise on the report its wording and its recommendations.

Howard: One of the recommendations calls for the federal government to require critical infrastructure operators to prepare for and report serious cyber security incidents. Seems to me that’s the cybersecurity Bill C-26 that’s now before Parliament. It’s really odd to have this recommendation without any reference to a bill that’s right now before the House.

David: It is interesting, and I think broadly it was meant to support the government’s initiative around C-26 and also the forthcoming [updated] national cybersecurity strategy. I will admit that there are some things I was pushing for my testimony that were quoted in the report, including the need to go beyond federally-regulated critical infrastructure [in legislation] to include other areas such as healthcare and food supply, and the need for a new framework for provincial and territorial co-operation [on cybersecurity]. I am deeply concerned that we’re going to continue to see have- and have-not provinces when it comes to cybersecurity resources. It’s a painful example in Canada of how we can’t seem to evolve our confederation to meet the governance challenges of a far different era than when our country was found in 1867, and certainly far different than when we got our modern constitution in 1982.

While here in Honolulu [this week] I got a chance to tour Pearl Harbor. I’ve been thinking back to a lot to the dialogue around a potential ‘Cyber Pearl Harbor’ and I think maybe some of us misinterpreted what the experts were talking about. They may have been warning us about what that actually means. I wonder if a ‘Cyber Pearl Harbor’ is just like the attack here we’re missing all the warning signs. We ignore and make assumptions about the relative safety of the systems we have in place. Just like how the U.S. Navy assumed that airdropped torpedoes wouldn’t work because the harbor here is so shallow. Or how communication systems broke down and critical warnings weren’t received until the last minute. The other thing about the Pearl Harbor story — and I think we’ve seen this a little bit in the Ukraine-Russia conflict — is that the Japanese thought it would be far more catastrophic attack than it was. While there was certainly a tragic loss of thousands of lives, most of the U.S. Navy ships were repaired and put back into service. The psychological effect that Japan hoped for in this surprise attack actually had the opposite effect. I wonder, as we think about this next decade and we think about offensive and defensive cyber, if we’re not making the same mistakes in history.

Howard: Another recommendation in this report is that the federal government look at a combined Canada-U.S. cyber defense command structure. Do you think this is a good idea and what’s the advantage?

David: I think there could be a huge advantage but I doubt the Americans will see much interest in it. Why would they? What exactly do we bring to the table these days in terms of capability? We have no equivalent to the U.S. Cyber Command. We have offensive cyber based capability within CSE (the Communications Security Establishment, which has the responsibility of protecting federal IT networks and cracking adversaries’ code) to whatever effect that has. But we simply haven’t put the resources into being a partner with the Americans. [See also this document about the Canadian Armed Forces cyber responsibilities]

I think we are very much at risk as being seen as freeloading once again, just like we have done for decades with NORAD. And I also don’t see the Americans trust us that much. We can look no further than the fact that Canada was cut out of the club with the new Australia-US-UK (AUSUK) military partnership. I mean, we are a pacific nation. One would have thought it would have made sense to include us, unless our previous foreign policy with respect to China and taking years to figure out what we were doing with Huawei has left us out in the cold. So while the committee might be recommending this, I don’t think the Americans would really care to have us at the party.

Howard: It will be interesting to see how fast or if the Canadian government decides to act on this report and how many of the recommendations it will put into force.