Project 43

Ransom Attacks

OrElse

 

There are three broad categories of hackers:

  1. Destructive (crash a website, destroy data)

  2. Social Justice (Edward Snowden, WikiLeaks)

  3. Those that want to make a Profit 

One of the popular tactics used by those in category 3  is to hack into a company database (such as Target) and steal credit card information. The hacker can then take these to a “Cyber Pawn Shop” where the list would be published for sale on the ‘Deep Web’

yjYbypU

These ‘Cyber Pawn Shops’ sites will sell credit cards in bulk, the price is normally reduced as they ‘age’ in time. Bottom line- it is better to to steal LOTS of credit card info, which is why a hack such as Target was possibly a large financial score.

Now we are seeing a dramatic increase in Ransom Attacks. The hacker goes into the computer system, takes control and encrypts operational data, demanding payment for a password.

On one level this approach makes better business sense:

  1. Eliminate the middleman (Cyber Pawn Shops)

  2. Hackers set their own price

In some of the recent attacks, systems were simply shut down. Earlier this year a hospital had its medical records encrypted- basically shutting down the hospital (Hollywood Presbyterian Medical Center) until a ransom was paid. Hospitals, schools and cities are estimated to have paid hundreds of millions of dollars to date (source- CHRIS FRANCESCANI- NBC News).

Hackers are also targeting Police Departments nationwide.

A quote from the August 19, 2016 Wall Street Journal article by Robert McMillan:

“According to the U.S. Department of Justice, ransomware attacks have quadrupled this year from a year ago, averaging 4,000 a day. Typical ransomware payments range from $500 to $1,000, according to cyberrisk data firm Cyence Inc., but some hackers have demanded as much as $30,000.” Link

One aspect of this that is of great concern- in many cases these organizations have an IT department and security policy. They have purchased the typical ‘products’ such as firewalls, etc. So how can this be happening?

Today it is estimated that over 90% of the Ransom Hacks enter through a ‘phishing’ email, which an employee ‘clicks on’.

SO- based on the above, we can see two issues:

  1. The phishing email made it through the system

  2. Employees may not be properly trained regarding email security

If you’ve already transitioned to an IP based NG9-1-1 system you are safe- for the moment- as email is not directly connected.

But how about future hacking techniques or 9-1-1 text messages with hyperlinks? 

APCO Project 43, NENA and the FCC Task Force on Optimal PSAP Architecture (TFOPA) are all discussing the issue of security as we transition to IP. We should stay plugged into their ongoing recommendations…

 

 

 

SECURITY – sometimes difficult to define

Security

I received a letter from the U.S. Office of Personnel Management in Washington, D.C. recently. The OPM experienced a major security HACK, which they publicly admitted (thank you).  This breach of data  included, as I learned in the letter, details that were voluntarily provided and additional information from background investigations for thousands of security clearances, including mine (past life).

Anyone who has been involved in this aspect of working with the Federal Government knows that the higher the level of clearance, the more information required. This then needs to be verified (either through formal, feet on the street background investigations or the ever popular polygraph ).

polygraph

The bottom line – In my case – I am being provided credit monitoring, identity monitoring, identity theft insurance and identity restoration services, at no charge, for three years. I appreciate the Federal Governments action.

If you think about this breach, it has tremendous negative potential. In addition to the basics- name, social security number, place of birth, etc- they also have details on an individuals immediate family, business relationships, foreign travel, etc and admissions (again depending on the level of clearance) or revelations of intimate details of your personal life. So- this information could be used to identify and attempt to coerce or blackmail (reveal potentially damaging/embarrassing  information) someone in an influential role (industry or government). A pretty serious situation.

Hackers had the ability to penetrate secure, classified  government networks. We have to assume that there were policies/procedures in place and contractors tasked with securing these systems.

Until recently, 9-1-1 Centers (PSAPs), with their traditional analog phone line connectivity, have not been concerned with the type of ‘hacking’ or security issues normally associated with IP (internet protocol) networks. As we all know, this is changing.

Most of us have heard the terms firewall or encryption. In reality, we are going to require the expertise of our vendors and consultants to make sure that our information and system functionality is safe as we move to these IP based networks. There have been critical scenarios described, such as having an ‘event’ in a major city and the 9-1-1 system being totally disabled as part of the attack.

The challenge is, who really understands all of the aspects of security? Not unlike taking your car to be serviced. The mechanic basically has you at a disadvantage. You need to make a decision – should you trust him? We should not move into IP networks with this approach.  The individual, consultant or vendor we might ‘trust’ may candidly not really have an in depth knowledge of this very complex subject.

Make sure that your security advisor is aware of the following efforts:

National Institute of Standards and Technology:

Cybersecurity Framework

CSRC

NICE

Federal Communications Commission (FCC)

CSRIC

 

From the Users Perspective

As consumers, we regularly embrace new technologies. There is no extended training process, (well- maybe, if you are old enough to remember the flashing 12:00 on a VCR) and certainly no requirement that you understand all of the complex technology behind it.

In the 911 community, however, there is a push to educate everyone on how the proposed Next Generation system will work. I recently attended an event where a vendor, with the best of intentions, gave a very animated ‘educational overview.’ A large group of their employees wore (or were forced to wear) signs with NG9-1-1 acronyms (LIS, LoST, ECRF, etc.).  They then moved around the room as they took turns walking the 911 ‘call’ through the proper sequence.

As attendees were leaving this demonstration,  I heard a number of comments such as ‘what was that all about’, others that I choose not to include in this post.

This same type of instruction scenario happens throughout the country.

A certain segment of the 911 community welcomes in-depth technical training on the detailed network aspects of NextGen but, for the vast majority, it is of little interest. I have always thought that someone needs to focus on the users (911 call takers and management). How will this new technology impact operations, etc. The reality is that as users, we just want it to work...

APCO has announced a new initiative, Project 43 which is focused on the user, “Practitioner-led effort prepares for the paradigm shift in public safety communications”

APCO Project 43

I’ve applied to participate, this should be  interesting.