CTC’s November 2018 Threat Report

It’s one of the longest-held animal myths of all time: that ostriches bury their heads in the sand to avoid danger. They don’t; they’re preparing nests or caring for their eggs. (Anything that buried its head in the sand would have a difficult time breathing.)

But as a metaphor for people avoiding difficult situations by making themselves as oblivious to them as possible? That myth makes for powerful imagery.

Which is why, one final time, we’ll invoke it this month. It might describe what’s going on at either Bloomberg Businessweek or Apple. It definitely describes what’s going on to some degree with many MikroTik router owners. And it might even apply to some Pentagon officials.

Bloomberg’s scary story not frightening many

The veracity of one of the most significant cybersecurity stories of the year remains hotly contested by its major players weeks after it broke.

Bloomberg Businessweek published an article that claimed some of the largest U.S. companies had fallen prey to a cyber attack implemented by a foreign power.

The article’s allegation: that the Chinese government implanted tiny chips into devices used by Apple, Amazon, and other corporations to aid in its years-long spying efforts. The chips are so small, the article states, that they avoided detection for years.

To hear Apple and the other players — including Chinese leaders — tell it, the chips avoided detection for so long because they never existed in the first place.

“There is no truth in their story about Apple,” Apple CEO Tim Cook said. “They need to do the right thing and retract it.”

For its part, Bloomberg Businessweek editors maintain faith in their efforts, despite refutations from other alleged victim companies.

With a sea of opposition to the article (including to the cover of that particular edition of the magazine, which makes it seem as though Bloomberg possessed one of the spy chips), we might be left with a cautionary tale that has plenty of caution and possibly a bit too much “tale.”

And yet …

Despite the denials from the alleged victims and the publication’s somewhat tepid defense, this is a scenario that demonstrates what’s at stake concerning network security. A thorough security audit, penetration testing, endpoint protections — if you’re not implementing such solutions, you run the genuine risk of being lapped by hackers (even those under the direction of foreign governments) more engaged than you in their efforts to find any potential path to your data.

You can learn more about protecting your company here.

The kindness of strangers

Either side of the debate over Bloomberg Businessweek’s story could maybe use a mysterious Russian-speaking hacker to help them out.

After the man is done patching a router security flaw in devices around the world, that is.

The vulnerability in MikroTik routers has been exploited over the last several months mainly to plant cryptojacking scripts and to hijack DNS servers so that users could be redirected to malicious sites.

From ZDNet:

“CVE-2018-14847 is a very convenient vulnerability because it allows an attacker to bypass authentication and download the user database file. Attackers decrypt this file and then use one of the username & password combos to log into a remote device and make OS settings and run various scripts.”

Enter “Alexey,” the only ID of the hacker who is going around shutting down the vulnerability. Allegedly a network administrator himself, Alexey claims to have patched more than 100,000 routers already … much to the dismay of the people he says he’s helping. Most of them, he says, are outraged.

They have a good reason. It’s against the law to access another person or organization’s equipment without their consent.

This may go without saying, but we’ll say it anyway: You should never rely on a stranger in a country on the other side of the world to install patches in your server software. Now is as good a time as any to make sure your MikroTik router — and any other routers — have the latest versions installed.

Weak defense elicits a shrug

Despite MikroTik’s rapid response to the exploit afflicting their hardware, it’s clear that not enough router owners or administrators are applying the fix. It’s a lackadaisical approach to network security that may one day prove to be a grievous miscalculation on their part.

It’s such a stunning mistake that it’s hard to imagine why so many people continue to make it. Even worse? Knowing that such problems have infiltrated the Pentagon.

According to a report produced by the Government Accountability Office (GAO), our nation’s weapons are vulnerable to cyber attack. Making matters worse: officials are aware of some of these vulnerabilities but simply haven’t taken the time to correct them.

Another issue is the low-level testing being conducted within the Pentagon. From NPR:

“[T]he Defense Department’s hacking and cyber tests have been ‘limited in scope and sophistication.’ While they posed as hackers, for instance, the testers did not have free rein to attack contractors’ systems, nor did they have the time to spend months or years to focus on extracting data and gaining control over networks.”

Still, the tests cited in the report found “widespread examples of weaknesses in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond, and recover.”

Bad actors looking to infiltrate your networks won’t limit the “scope and sophistication” of their attacks. Irrespective of who you rely upon for your security audits, ensure they apply the same effort a hacker would apply. Anything less is a half-measure that will not protect your company’s data nor its reputation should anything happen to that data.

CTC Technologies is here for you

Uncertain what to do next? An easily executed action item is to contact CTC Technologies. Reach out to us online or at 734-408-0200, and we’ll be happy to discuss with you ways to protect your company against the unyielding tide of cyber assaults that occur every day.

And you can rest assured that none of our solutions involve sand.

P.S. Make sure you follow us on Twitter and Facebook for security updates, as well.