Building Trust Improving Technical Security

Hit Pause: Take a Moment to Reflect on the Repercussions of the Recent Ransomware Attacks

As these devastating global ransomware attacks illustrate, cybersecurity is not an issue that can be ignored. Any time a device or system is connected to the Internet, it is a potential target. What was once just another lucrative means of extorting money from Internet users, ransomware is emerging as a preferred tool for causing widespread disruption of vital services such as hospitals, banks, shipping, or airports. Attacks are growing more sophisticated and more enduring, with longer term damaging effects and wider impact. Ransomware exploits the slow pace of security patching, systems that are dependent on old software, and poor backup practices. It also provides a smokescreen for other nefarious acts including stealing data and credentials, or even wiping data. So, the name “ransomware” becomes illusory: what we are really dealing with is “hydraware.”

Also, as the recent attack demonstrates, one security vulnerability in just one piece of software can wreak havoc across multiple critical government and business services. Information security experts have traced the “patient zero” in Petya/NotPetya to poisoned update servers for M.E.Doc, (accounting software developed by a Ukrainian company). This tactic is not new: as recently as May update servers for Handbrake, a a free and open-source transcoder for digital video files, were compromised with Proton malware, designed to scoop up the keychain (including all passwords) for future attack. These attacks underline how essential it is that vendors secure and monitor their software update servers.

Additionally, researchers tracing the progress of the Petya/NotPetya malware observed that it exploited user administrative privileges to gain access to credentials, which it used to infect other devices on the network. A timely reminder that giving users administrative privileges means a compromised device could more readily infect others in the network.

There are three other aspects of these attacks that should be called out – software patching, security vulnerability disclosure, and attribution.

Both the WannaCry and Petya/NotPetya malware exploited a security vulnerability in Windows OS known as “EternalBlue.” WannaCry should have been a warning to patch urgently, and many did. However, others did not. Why? Industrial systems may use legacy software. Enterprises may have poor software update policies, may be using unlicensed software, or old devices that cannot use supported software. Some of these scenarios are easy to fix than others. But, a good place to start is shortening the software update cycle for as many devices and systems as possible to improve the “herd immunity” of devices connected to the Internet.

While the EternalBlue security vulnerability was known at the time of the attacks, it was originally a zero-exploit held by the NSA, revealed to the public by ShadowBrokers. Imagine if it had not been exposed earlier in the year – how much worse might have the attacks been? These attacks bring to light the dangers of hoarding zero-day exploits and the importance of responsible security vulnerability disclosure.

Imagine you discovered that your neighbour forgot to lock their door, would you tell them? What if it was the door to their bank vault or medical file? Would you keep that information to yourself, planning to enter at your leisure when no one was looking? Or, would you help them secure their door? Or worse, were you hoping that only you will be able to try the handle when you decide you want something?

States have a vested interest in strengthening the security of the Internet and the devices that connect to it. Without the Internet, there would be no digital economy. Yet, anytime there is a known security vulnerability, it’s like leaving the door unlocked, hoping no one will try the handle. ZeroDay vulnerabilities might initially seem like attractive tools in the fight against cyber criminals, but as long as they exist they pose a real and imminent threat to hundreds or thousands of innocent users. And, as we saw with WannaCry and Petya/NotPetya, exploits of software security vulnerabilities can have real life consequences such as delays in medical treatment, suspension of banking operations, and disruption of port services.

Criminals will always search for any way in, but state actors have a responsibility to secure the Internet, not to weaken it. They should both practice and encourage swift responsible disclosure of security vulnerabilities so they can be patched everywhere. In the end, it’s about making sure we do all that we can to protect citizens online, and out in the world.

A number of security researchers speculate that the Petya/NotPetya attack was a state-sponsored attack on the Ukraine. If this is correct, it raises questions for which no one has an easy answer – Is attribution possible? When does a cyber attack rise to the level of an act of war? What should be the appropriate response? According to a statement from NATO’s Cooperative Cyber Defence Centre of Excellence, “NATO’s Secretary General reaffirmed on 28 June that a cyber operation with consequences comparable to an armed attack can trigger Article 5 of the North Atlantic Treaty.” In a recent speech, UK Defence Secretary Sir Michael Fallon clearly signaled that offensive cyber is part of their arsenal, and cyber attacks could be met with attacks by land, air, sea or cyber. A clear signal that cyber warfare could spill over into the realm of military warfare. Keep in mind too that Petya/NotPetya caused disruption and harm beyond Ukraine, across the world. If the target was Ukraine, the collateral damage was extensive. How might the “non-target” countries react? And, where might that take us?

These are not problems we can solve alone. However, it is clear that Internet security must be a priority, and deliberate acts to undermine it must be off limits. We must tackle Internet security from all fronts by ensuring: security vulnerabilities are identified early and responsibly disclosed; devices and systems are patched; security experts are able to coordinate and act; critical services have built in redundancy; and, users are alert to phishing and other types of social engineering.

Only through this type of collaborative security will we create an Internet we all can trust.

Building Trust Improving Technical Security

WannaCry Ransomware Attacks: A Test of Africa’s Cybersecurity Preparedness

A number of African countries including South Africa, Nigeria, Angola, Egypt, Mozambique, Tanzania, Niger, Morocco and Tunisia have reportedly been attacked by the recent “WannaCry” ransomware malware that hit institutions around the world. Ransomware is a type of malicious software designed to block access to data or a computer system until a sum of money is paid. The ransomware attack has compromised mostly public institutions and businesses in over 150 countries. The malware, which has gone by multiple names, including WannaCry, WannaDecryptor, and WannaCrypt threatens to erode Internet trust and cripple businesses.

While, the incidents are widespread and expected to continue, they beg two questions:

Should Africa be alarmed by cyberthreats, such as this recent attack?

Does Africa have the cybersecurity preparedness and capacity to deal with these types of threats?  

Africa is home to some of the world’s fastest growing economies, with Internet playing a catalytic role to this growth. Africa’s Internet penetration rate is 27% (Internet World Statistics, March 2017) and the mobile penetration rate is 47% (GSMA). Without a doubt, Africa has experienced explosive growth in the use of technology and ICTs in recent years. African hospitals, banks, government institutions, and other organizations rely on computers and the Internet – any interruption can cause major damage to their economy and society. There is no doubt Africa should be as concerned as the rest of the world about these kinds of cyberthreats.

To answer to the second question, we need to discuss how Africa can prepare against such risks. No one person can solve these problems alone. The Internet is developed and managed thanks to the contribution of many stakeholders from around the world and the solution to cybersecurity is no different. Everybody should contribute to making the Internet safe. An individual or organization who doesn’t protect their computers endangers the whole the Internet.

The Internet Society advocates the Collaborative Security approach to tackle security issues. It offers guidance on how we can secure the Internet without comprising its fundamental values.

Africans have a role to play in making the Internet safe for them and for the rest of the world, though there are some challenges ahead. Africa lacks adequately skilled professionals, it has limited public awareness on the risks of cyber attacks, it lacks knowledge of cyber law enforcement mechanisms and lacks practical regulatory guidance from governments, etc. The Africa Union Convention on Cyber Security and Data Protection is a great tool and recognition that African policy makers acknowledge the problem of cyber security – but it is not a silver bullet. All stakeholders at the regional, national, organizational, and individual level should work together to mitigate the risk.

The Internet Society urges a multi stakeholder approach in resolving these challenges. Olaf Kolkman’s blog It’s Up To Each Of Us: Why I WannaCry For Collaboration details the Collaborative Security approach, while Niel Harper provides tactical “how to” advice in 6 Tips for Protecting Against Ransomware.

In addition, ISOC and its partners at the Geneva Internet Platform/Diplo Foundation are organizing a webinar about WannaCry on 18 May 2017 at 11:00 UTC, which is open to all. You may also be interested in this detailed collection of WannaCry information from GIP Digital Watch: WannaCry: The ransomware cyber attack explained.

Read more about Collaborative Security

Building Trust Improving Technical Security

Webinar – May 18 – WannaCry Ransomware: Why is it happening and (how) is it going to end?

What is happening with the WannaCry ransomware that has been attacking unpatched Windows computers around the world? How will it all end? What do we need to do collectively to deal with attacks like this? (Hint: Read Olaf’s post.)

To learn more and pose questions to a panel of experts, you can join our partners at the Geneva Internet Platform and Diplo Foundation for a webinar on “Decrypting the WannaCry ransomware: Why is it happening and (how) is it going to end?

  • Thursday, May 18 at 11:00 UTC (13:00 CEST) 

Read more on the event page – and register for free.

Our Niel Harper, author of the recent post “6 Tips for Protecting Against Ransomware“, will participate as one of the panelists.

As noted in the session abstract:

The webinar will provide an analysis of the main technological, geopolitical, legal, and economic aspects of the ransomware. Experts from different fields will discuss why ransomware has become a major issue. Can such attacks be prevented by technological measures alone? Is there a need for a legal response, such as Microsoft’s proposal for the Digital Geneva Convention? Is raising more awareness among users the ultimate solution?

The webinar will discuss whether it is possible to put a stop to malicious software, or whether they should be considered the price we have to pay for the many advantages of the Internet. Choices on policy will have to be made sooner rather than later. The aim of the  discussion is to explore and help make informed policy choices.

We encourage you to attend and share the information with others.

NOTE: If 11:00 UTC is a bit too early or late for you, the webinar will be recorded so that you can view it later.

To help understand more, the Geneva Internet Platform Digital Watch team has prepared this excellent page of information:

See also our blog posts:

Image credit: a screenshot of the WannaCry visualization provided by MalwareTech.