The availability of anti-privacy tools leaked from the vaults of the #NSA and #CIA can lead to copycat attacks.
We’ve all seen it: a poorly-worded message in pijin English, warning you that your computer is infected; or you’re a lucky prize winner; or, most recently, “Oops, your files have been encrypted!”
By the time you see this message, it’s already too late. Your files will have been encrypted by an anonymous hacker using the WannaCry ransomware: the same malware that was recently used to attack businesses and organisations in hundreds of countries including FedEx, Renault, Telefonica, the Russian Interior Ministry and Britain’s National Health Service.
What is significant about this latest attack – other than its scale – is that it exploits a vulnerability in Microsoft Windows that was first revealed in a leak of the National Security Agency’s (NSA) hacking tools by the Shadow Brokers group.
Earlier this year, WikiLeaks began to publish an even larger leak of CIA documents, which they say describe the “entire hacking capabilities” of the CIA. Called Vault 7, this leak comprises more than 8,700 documents that purport to show how the weak points in the software running your devices can be exploited to take them over. For example: Weeping Angel can be used on a Samsung smart TV to record conversations, even when it appears to be turned off.
Other examples abound. For instance, it appears the CIA has the ability to break into and control Android and iPhone handsets, as well as all kinds of computers. If it is as powerful as WikiLeaks claims, then the CIA may be able to remotely control these devices to track locations, access files, read messages and record everything heard by the microphone and seen by the camera.
Goodbye to commercial confidentiality
This might render secure apps like Signal, Telegram and WhatsApp insecure because, in addition to device locations being tracked, the content of the messages could potentially be seen by the agency too. Turning your devices off and on again won’t help either, because the tools embed themselves in the firmware that runs the phone or TV.
Some specific manufacturers, which many small and medium businesses rely on, are named in the leaked documents. For example, the CIA appears to have targeted Apple’s iPhone from 2008, the year after it was released, until 2016. Apple has issued statements that these vulnerabilities were either tied to early iPhones or have been fixed.
But small businesses aren’t a target, are they?
Even if your business does use Android or Apple products, and the CIA does have these capabilities, would they really be interested in targeting a small business? It’s tempting – reasonable, even – to dismiss the threat; and it’s probably realistic. Small businesses – or medium-sized ones, for that matter – may be of no interest to the CIA.
So, what’s the problem?
The CIA may not be directing their hacking towards small businesses, but other hackers could try to use the leaked tactics and tools.
As WikiLeaks warns, “once a single cyber ‘weapon’ is ‘loose’ it can spread around the world in seconds, to be used by rival states, cyber mafia and teenage hackers alike”.
This is something that any size of business needs to be mindful of. A recent cyber security survey by the UK government identified that almost half of UK firms were hit by a cyber breach or attack in the past year.
The prize in sight
The government survey pinpointed which type of businesses hackers were most likely to go after, saying, “Businesses holding electronic personal data on customers were much more likely to suffer cyber breaches than those that do not.”
Even if a small business isn’t handling large volumes of data, the CIA’s tools, in the wrong hands, could be used to hold any business to ransom or to compromise or steal its data.
Small businesses have much to be concerned about, because they are more likely to be short on time and the IT know-how to protect themselves, whereas larger businesses may have more sophisticated defences in place, and an entire IT department to defend against malware attacks. However, as WannaCry has demonstrated, even large organisations can be victims.
The NHS became an easy victim of WannaCry, because they were running PCs using Windows XP or Windows 7. XP is no longer supported and no security patch was available, so they were vulnerable. Patches were available for Windows 7, however, so PCs could and should have been updated – but weren’t. Microsoft has now released emergency patches for PCs running Windows XP, Windows 8 and Windows Server 2003.
Even if a hacker doesn’t demand a huge ransom from a single business, the sums can add up because they could be holding hundreds of businesses to ransom simultaneously. That makes targeting multiple businesses in one go worthwhile. Not all will pay the ransom, but some will because they have no choice.
Greg Mosher, VP of product and engineering, SMB, AVG Business by Avast Software, adds, “What attacks like WannaCry show us is that no business or organisation should think itself immune to hackers’ ransom demands. The UK government’s survey findings reveal just how attractive data is to hackers and how prevalent cyberattacks are. The leaked documents, on the other hand, demonstrate that hackers could gain access to that data by exploiting the weaknesses in any number of devices and outdated software. Small businesses don’t have to be defenceless though. They can reduce the chance they’ll be held to ransom by using up-to-date (patched) software and antivirus.”
Six tips to make the hacker’s life harder:
- Update the software on your devices as soon as an update becomes available.
- Install security patches as soon as they become available. Microsoft had issued a patch against WannaCry two months before the attacks.
- Consider replacing devices (or software) which cannot be updated, or taking them offline.
- Follow official advice: run antivirus software and keep it updated.
- Create strong and unique passwords for all your devices and software, and never use the default one provided by the manufacturer.
- Limit the access to your systems and data on a strictly need-to-know basis.