Bitcoins, Ransoms, Privacy and You
Are you prepared to be blackmailed personally or institutionally?
As we examine the cybersecurity challenges we face in the Wilmington region, it is not easy to separate the personal concerns from the public concerns. They overlap.
To begin with a summary as to why we are raising this now, be aware that cyber-attacks are growing in frequency and impact. Below, we cite three major cyber-attacks in the last month-May to June 2019. The payoffs to blackmailers are recently so substantial that an explosion of blackmail will certainly occur. Baltimore has spent $18M thru mid-May fighting their blackmailer (see below).
So, we are entering an era of ominous new “cyber-attacks”. With Bitcoin and other anonymous currencies, and encrypted information to hide communications, we have never been more vulnerable.
What Should You Do? Why Should You Read This Techie Stuff?
First, we need to say we are not experts. Just reasonably well read. Most experts are
specialized in a few areas and a Microsoft expert may not know as much about Apple or Google system vulnerabilities, or all of the different types of disruptions that are occurring today. We do recommend that you join in learning more, asking questions, and insisting on attention to vulnerabilities, because the price of not paying attention will be too high.
Second, wherever you live in the Wilmington region, find out what has been done and being done, to protect your critical services—County, City, Port, Utility, Service Provider or Contractor, large or small. Their vulnerability could be your vulnerability, their costs your costs. Do they have updated systems, software and practices? Competent experts or consultants? Don’t accept “we can’t afford it” type answers. What we are beginning to see is that the costs of having systems and services blocked are huge and incredibly disruptive. The question is more about how resources will be reallocated to prevent economic disruption, just as surely as we must plan for natural disasters.
Third, are they insured? And, are they demanding help from the state and regional
organizations that can help with costs, education and expertise?
Fourth, it may be time for our tech community to upgrade their skills, and it is a good time to ask our community colleges, UNCW and its CIE, TekMountain and the affiliated Consortia about courses they offer or will agree to add to their catalogs. A conference of concerned security specialists to monitor and disseminate best practices would be timely as a starting point.
Our Personal Accounts
We’ve seen our private email hacked, password stolen and received demands for Bitcoins to pay off threats of revealing real or imagined personal information from our emails and Internet access. We’ve ignored the demands with no further consequences other than repeated demands. But we were confident the threats were fake. Soon, blackmailers will use “deep fakes” such as the transposition of one persons face on another person's body so seamlessly it will be difficult to know if a picture is real or not.
Cities, Ports, Municipal Agencies—Current News Case Studies
Baltimore is still in chaos as a city, having accepted FBI advice not to pay an $80,000 Bitcoin demand to end a shutdown of citywide computer systems. Latest published cost of restoration of systems to mid-May is $18 million, with unknown further disruptions and costs pending. For example, it is known that no real estate transactions could close for weeks. We have not heard that the problems have been solved.
Riviera Beach, Florida just voted to pay a $600,000 ransom demand on June 24, three weeks after encrypted records were penetrated, payroll, email and 911 systems disrupted. They acted on the advice of consultants, disregarding FBI advice that odds were less than 50-50 that hackers would reverse the damage. They are also spending over $1million on new computer systems, in retrospect money that might have prevented the ransomware success.
Lake City, Florida, a small city of only 12,000 people, just paid a $462,000 Bitcoin ransom (that’s nearly $40 per resident!) to restore phone and email service after being crippled for two weeks, as reported on June 28. Note that the Florida cities have a pooled insurance arrangement, so all but a small amount of the costs were paid by the insurance provider.
Numerous Other Cities
Previous attacks are reported in Atlanta GA, Allentown PA, Medford PA, Greenville NC, Palm Beach FL and the Port of San Diego. For a variety of reasons, all do not report details of their costs and experiences.
Neglecting upgrades of software and systems lowers the threshold for such attacks. All cities, ports, municipal agencies need to act now with a sense of urgency, beginning with their most vulnerable services.
Attacks are growing more frequent as larger ransoms are paid. If you think you might be vulnerable to attack, the operating assumption should be that the attack will happen.
The roots of some of the ransomware are said to have begun with US developed spyware developed by the National Security Agency (NSA), proving even the best are hackable, and ironically, providing blackmailers with readily availability sophisticated cyber weapons.
Cyber security software vendors are in a race to stay responsive to the latest vulnerabilities. But that acknowledges they are attempting to play catch up. There is no such thing as assured security as technology evolves.
Using the Cloud is often thought to be a panacea. It does provide backup, but Cloud software has been hacked as well, just not as often. Cloud software is vulnerable particularly when access by authorized users is not rigidly controlled.
Security begins by taking inventory. Larger entities may not even know which systems exist, how they are used and what security measures are appropriate for each. Developing organization wide security policies and enforcing them is critical.