A recent analysis of a new variant of a widespread ransomware attack illustrated just how sophisticated, yet simple, breaching computer security has become. The attack, known as “Emotet,” hit the Pennsylvania city of Allentown, breaking through firewalls, evading the latest antivirus software, and costing the city more than $1 million at last count. The city cannot process financial transactions, and its police department cannot access key crime databases. Although the city is working to fix its systems, the end is still not in sight.
Security research firm Fidelis Security has published its analysis of Emotet, and one feature is especially noteworthy because it demonstrates the adage that in security, people are always the weakest link. Emotet spreads through local area networks by “brute forcing” attacks using common passwords. How common? The ones used by this particular strain of malware are listed below. If your password is one of those listed, it means that you are in the vulnerable majority of business computer system users. In fact, according to one security expert, if you use one of these as your password, you would be better off just using your own name instead!
As always, security begins with user education—teaching those who use the technology how best to defend against threats. It also means teaching the sobering fact that there is no lock that cannot be picked by an adversary willing to spend the time and money to do so. Computer security is more difficult because the bad guys are able to pick the locks from literally anywhere, and the cost to attack a system may be very low because using code from others is simple and easy.
What does this mean for critical systems, such as those that tally our votes and that run our electric grid? It means that we may always be playing catch-up. It means that we must not only continuously invest in improving security of the hardware and software, but that we must continue to educate those who manage and operate the systems. Government and private sector officials must also communicate to the public that these systems are being monitored and their security is being improved constantly in response to the threats encountered because an additional target of foreign “threat actors” is public confidence in the systems themselves.
In his testimony before the Senate Armed Services Committee on February 27, Admiral Mike Rogers, who heads both the National Security Agency and US Cyber Command, stated that he has yet to be given the order to safeguard our elections from interference by Russia. “President Putin has clearly come to the conclusion that there’s little price to pay and that therefore ‘I can continue this activity,’” said Admiral Rogers, who will retire in April. “Clearly what we have done hasn’t been enough.”
Admiral Rogers was asked during the hearing whether he had the authority and the ability to disrupt the Russian cyber campaign. Admiral Rogers replied, “I don’t have the day-to-day authority to do that.” “So you would need, basically, to be directed by the president,” stated Rhode Island Senator Jack Reed. “Have you been directed to do so?” “No, I have not,” replied Admiral Rogers.
It appears that while the U.S. badly needs to play catch-up, some parts of our government have yet to take the field. With mid-term elections months away, and a general consensus among our intelligence agencies that Russia is continuing the same campaign that many believe helped put the candidate more sympathetic to the Putin regime in the White House, Americans and their allies have a right to ask if and when the orders will be given to Admiral Rogers and his agencies to defend the informational foundations of representative government.