Passwords have been in the news again recently. Most notably, on Friday 23 June accounts with weak passwords on the UK Parliamentary network were compromised; however less than 1% of the system’s 9,000 accounts were directly affected. Attention was also drawn this week to router password vulnerabilities, as Virgin Media advised customers with Virgin Super Hub 2 home routers to reset their passwords. This followed concerns that the routers had a relatively weak eight-character default password consisting of lower case letters that could be cracked in four days, potentially allowing access to other home devices. Routers supplied by other service providers may also come with default passwords.
Passwords also featured in Ciaran Martin’s interview with BBC’s Today programme (Friday 30 June, 0810) where he recommended that two-factor authentication be used so that a stolen password is much less valuable to a criminal.
NCSC password guidance can be found here.
A portion of Microsoft Windows 10 Source code leaked online
Microsoft have confirmed a portion of its source code has been leaked online. The initial source of the leak is unknown; however, the content was posted to Beta Archive, one of the largest online ‘Beta and Abandonware’ repositories for prototype software. The leaked content was 1.2GB in size and has since been removed from the Beta Archive site.
Microsoft already shares some of its source code with industry partners and government through its Shared Source Initiative. However, this instance represents an unauthorised leak. A number of theories about who is responsible are currently circulating. Was it one of Microsoft’s trusted partners who already had access to the source code? Or was it a criminal who illegitimately obtained access to the code before leaking it? There is no evidence to confirm either way at this stage. The leak occurred one day after two men were arrested in the UK for unauthorised access to Microsoft’s network, however there is no evidence that these two incidents are related.
Some reports have highlighted the risks of malicious actors using the leak to identify vulnerabilities in the code before developing exploits to target them. However, when a similar leak occurred in 2004 of Microsoft’s Windows 2000 code, similar claims were made, but did not result in a significant up-tick in related attacks. Also, white hat hackers may use the leaked code as an opportunity to investigate it for vulnerabilities before reporting them to Microsoft for fixing.
While Microsoft has responded to this incident, questions have been raised about how the source code was originally obtained.
Disgruntled ex-employee conducts Smart Meter Network attack
A former radio frequency engineer used information about systems he had worked on to disable meter reading equipment at several US water utility companies. The individual has since been convicted of two counts of "unauthorized access to a protected computer and thereby recklessly causing damage” and has been sentenced to 12 months in prison.
This case demonstrates the importance of removing software accesses when dismissing staff and appropriate access management. The software used by the former employee remained on his home computer following termination, he also retained access to default root passwords. Using this he took advantage of his pre-existing network and systems accesses to cause disruption (including changing the password to an obscenity and the code for a computer script to the lyrics of a Pink Floyd song) reportedly out of frustration more than a malicious, destructive intent.
Critically this was not a sophisticated cyber attack; the perpetrator knew enough about the system to effectively disrupt it with limited cyber capabilities. Appropriate access management is important not only for employees leaving organisations, but also those moving into different departments where their access requirements may change. Lax access management often enables insiders to have greater, more targeted impact against their organisations.
Cyber crime trends and statistics in 2016
The FBI have recently published their annual internet crime report. The trending topics for 2016 were Business Email Compromise (BEC), ransomware, technical support fraud and extortion.
A total of 298,728 complaints were received, with reported losses in excess of $1.3 billion. The FBI estimate that only 15 percent of fraud victims in the US report their crimes to law enforcement.
The UK's National Crime Agency (NCA) considers underreporting a huge barrier to understanding the true scale and cost of cyber crime. The reasons for underreporting include reputational damage; not knowing who to report the crime to; what constitutes a cyber crime; and being unaware that a crime has taken place.
Although figures in the FBI report are not directly comparable with UK statistics, they do indicate similarities in overall trends such as the increase in ransomware crimes, BEC compromise and technical support fraud.
NCA has recently published a report highlighting these cyber crime trends as well as an increase in the prevalence of mobile malware. NCA has also highlighted the Internet of Things (IoT) threat as having become more mature in 2016.
The UK has also seen an increase in technical support fraud, and British law enforcement and Microsoft have been working together for two years investigating these scams. Criminals will typically trick victims into believing their computers have been infected with malware and then persuade the victim to pay for the problem to be fixed. Sometimes the scam involves a pop-up message appearing on a computer claiming to be "Microsoft Technical Support". As a result of the investigation, four UK citizens have recently been arrested.
The NCSC has guidance for businesses in understanding the cybercrime model and for members on the public how to protect against cyber crime and what to do if you think you have been the victim of a cyber crime.
Ransomware tool causes widespread disruption
On Tuesday 27 June, widespread disruption was caused in Ukraine by a ransomware tool that spread to other organisations worldwide via trusted networks. The ransomware tool, with similarities to the Petya ransomware that first struck in early 2016, was inserted into a compulsory software update for Ukrainian financial and government institutions.
Once the malware was installed it looked for other systems to exploit using some of the same worm-like capabilities seen in the WannaCry attacks. In addition, infected devices were subjected to a memory and file system scrape to steal credentials which allowed the malware to move laterally through a network even if it was patched against the exploits used. This highly crafted tool was designed to spread rapidly, in some cases overriding the Master Boot Record (MBR) on infected computers and displaying a ransom note asking for payment in Bitcoins. Despite the request for bitcoins it should be noted that the malware does not store a decryption key and as such attackers could not restore a victim’s files following payment; there have been no reported successful decryptions following payment.
The NCSC announced on Thursday 29 June that while managing the impact to the UK, its experts had found evidence that questioned initial judgements that the intention of this malware was to collect a ransom. The NCSC is investigating with the NCA and industry whether the intent was to disrupt rather than for any financial gain.
The malware has spread to a number of organisations worldwide that do business with Ukraine, including Russia’s oil firm Rosneft, Danish shipping concern Maersk and a large UK advertising agency.
Whilst this latest ransomware infection is more limited in scale than the WannaCry, it is assessed that the success of these two incidents are likely to motivate other actors who aim to cause widespread disruption to employ “ransomware” to do so.