Photo: Unsplash/Markus Spiske

New CDA Institute blogger Mike Belyea discusses malware vulnerability.

Just​ ​before​ ​the​ ​2016​ ​New​ ​Year,​ ​the​ ​office​ ​of​ ​the​ ​American​ ​enterprise,​ ​Children​ ​in​ ​Film, was​ ​buzzing.​ ​Employees​ ​were​ ​putting​ ​the​ ​final​ ​touches​ ​on​ ​the​ ​business’s​ ​expense​ ​reports before​ ​enjoying​ ​the​ ​upcoming​ ​holiday.​ ​The​ ​company’s​ ​files​ ​are​ ​backed​ ​up​ ​using​ ​a​ ​cloud​ ​storage system,​ ​so​ ​as​ ​employees​ ​save​ ​files,​ ​they​ ​are​ ​synced​ ​and​ ​saved​ ​onto​ ​machines​ ​elsewhere.​ ​Hard at​ ​work,​ ​one​ ​employee​ ​opens​ ​an​ ​email,​ ​with​ ​an​ ​attachment​ ​that​ ​appears​ ​to​ ​be​ ​an​ ​invoice.​ ​She opens​ ​the​ ​file​ ​and​ ​goes​ ​about​ ​her​ ​business.​ ​Thirty​ ​minutes​ ​later,​ ​no​ ​one​ ​in​ ​the​ ​company​ ​has access​ ​to​ ​any​ ​files.​ ​They​ ​had​ ​all​ ​been​ ​encrypted​ ​with​ ​a​ ​message​ ​on​ ​how​ ​to​ ​pay​ ​a​ ​ransom.​ ​Once paid,​ ​allegedly,​ ​the​ ​hacker​ ​would​ ​return​ ​the​ ​files.

It​ ​happened​ ​covertly.​ ​When​ ​the​ ​employee​ ​opened​ ​the​ ​attachment​ ​she​ ​believed​ ​was​ ​an invoice,​ ​she​ ​was​ ​actually​ ​allowing​ ​a​ ​form​ ​of​ ​malware,​ ​called​ ​ransomware,​ ​onto​ ​her​ ​computer. Moving​ ​undetected,​ ​the​ ​ransomware​ ​spread​ ​to​ ​all​ ​her​ ​files,​ ​encrypting​ ​them.​ ​That​ ​would​ ​have been​ ​devastating​ ​enough.​ ​Cloud​ ​storage,​ ​however,​ ​functions​ ​by​ ​duplicating​ ​a​ ​computer’s​ ​files and​ ​copying​ ​them​ ​onto​ ​other​ ​machines​ ​stored​ ​elsewhere.​ ​This​ ​is​ ​what​ ​makes​ ​cloud​ ​storage such​ ​a​ ​tempting​ ​target​ ​for​ ​attackers.​ ​Once​ ​the​ ​employee’s​ ​computer​ ​files​ ​were​ ​compromised, they​ ​all​ ​synced​ ​to​ ​the​ ​cloud​ ​storage.​ ​Since​ ​the​ ​storage​ ​makes​ ​exact​ ​copies,​ ​the​ ​backup​ ​files also​ ​contained​ ​the​ ​malware.

Not​ ​only​ ​were​ ​the​ ​employee’s​ ​files​ ​stored​ ​on​ ​her​ ​computer​ ​encrypted,​ ​so​ ​were​ ​her backups.​ ​But​ ​it​ ​gets​ ​even​ ​worse.​ ​All​ ​employees​ ​in​ ​the​ ​company​ ​backed​ ​up​ ​their​ ​files​ ​onto​ ​the same​ ​cloud​ ​storage.​ ​Since​ ​one​ ​of​ ​the​ ​benefits​ ​of​ ​cloud​ ​storage​ ​is​ ​that​ ​everyone​ ​has​ ​access​ ​to every​ ​file,​ ​all​ ​the​ ​employees​ ​are​ ​attached​ ​to​ ​the​ ​same​ ​network.​ ​This​ ​is​ ​a​ ​double-edged​ ​sword. Once​ ​the​ ​ransomware​ ​reached​ ​the​ ​files​ ​stored​ ​on​ ​the​ ​cloud,​ ​it​ ​spread​ ​through​ ​everyone’s​ ​files. In​ ​30​ ​minutes,​ ​the​ ​business​ ​lost​ ​accessibility​ ​to​ ​all​ ​its​ ​data.​ ​Luckily,​ ​whoever​ ​created​ ​the malware​ ​made​ ​certain​ ​errors​ ​in​ ​the​ ​code​ ​that​ ​allowed​ ​those​ ​within​ ​the​ ​company​ ​to​ ​eventually retrieve​ ​all​ ​the​ ​compromised​ ​files,​ ​though​ ​not​ ​without​ ​a​ ​week​ ​of​ ​lost​ ​productivity.

Here​ ​we​ ​have​ ​a​ ​pertinent​ ​example​ ​of​ ​an​ ​important​ ​security​ ​concern​ ​for​ ​both​ ​business and​ ​government.​ ​In​ ​2016,​ ​the​ ​Canadian​ ​government​ ​announced​ ​its​ ​Cloud​ ​Adoption​ ​Strategy​ ​as a​ ​backup​ ​system​ ​for​ ​government​ ​files.​ ​Its​ ​aim​ ​is​ ​to​ ​provide​ ​services​ ​on​ ​par​ ​with​ ​those​ ​in​ ​the commercial​ ​service​ ​sector.​ ​Canada’s​ ​cloud​ ​storage​ ​is​ ​provided​ ​by​ ​Microsoft​ ​Azure. The​ ​Communications​ ​Security​ ​Establishment​ ​(CSE)​ ​espouses​ ​confidence​ ​in​ ​the government’s​ ​strategy.​ ​“You​ ​can’t​ ​be​ ​held​ ​ransom​ ​for​ ​data​ ​you​ ​have​ ​stored​ ​elsewhere”​ ​is​ ​the line​ ​given​ ​in​ ​their​ ​2017​ ​journal​ ​article,​ ​“Be​ ​Proactive:​ ​Prevent​ ​Malicious​ ​Attacks​ ​on​ ​Your Network”.​ ​The​ ​logic​ ​behind​ ​this​ ​sentence​ ​is​ ​that​ ​if​ ​your​ ​backup​ ​data​ ​are​ ​stored​ ​on​ ​a​ ​separate machine​ ​​and​​ ​are​ ​not​ ​attached​ ​to​ ​a​ ​network,​ ​there​ ​is​ ​no​ ​way​ ​to​ ​access​ ​them.​ ​However,​ ​whether the​ ​backup​ ​machines​ ​only​ ​come​ ​online​ ​briefly​ ​and​ ​then​ ​turn​ ​back​ ​off,​ ​or​ ​are​ ​online​ ​continuously syncing​ ​files,​ ​is​ ​irrelevant.​ ​Once​ ​the​ ​infected​ ​files​ ​are​ ​synced,​ ​the​ ​cloud​ ​storage​ ​becomes compromised.​ ​All​ ​the​ ​files​ ​kept​ ​on​ ​that​ ​storage​ ​machine,​ ​which​ ​is​ ​usually​ ​shared​ ​between companies,​ ​individuals,​ ​or​ ​government​ ​departments,​ ​may​ ​become​ ​encrypted.​ ​This​ ​CSE​ ​article was​ ​published​ ​after​ ​the​ ​large​ ​2017​ ​WannaCry​ ​ransomware​ ​attack,​ ​which​ ​infected​ ​computers​ ​in almost​ ​every​ ​country,​ ​though​ ​luckily​ ​missing​ ​Canada.

According​ ​to​ ​the​ ​Microsoft​ ​Security​ ​Intelligence​ ​Report,​ ​v.22,​ ​global​ ​ransomware​ ​attacks have​ ​increased​ ​by​ ​300​ ​per​ ​cent​ ​in​ ​the​ ​past​ ​year​ ​alone.​ ​Cloud​ ​storage​ ​is​ ​not​ ​immune.​ ​Microsoft has​ ​an​ ​army​ ​of​ ​its​ ​own​ ​to​ ​counter​ ​the​ ​hackers.​ ​Canadian​ ​computers​ ​running​ ​Microsoft​ ​services have​ ​seen​ ​their​ ​encounter​ ​rate​ ​with​ ​malware​ ​drop​ ​by​ ​roughly​ ​half​ ​from​ ​January​ ​2017​ ​to​ ​March 2017.​ ​That​ ​means​ ​in​ ​March​ ​2017,​ ​3.2​ ​per​ ​cent​ ​of​ ​computers​ ​in​ ​Canada​ ​using​ ​Microsoft real-time​ ​security​ ​products​ ​detected​ ​malware.​ ​Detecting​ ​malware​ ​doesn’t​ ​always​ ​mean​ ​the system​ ​has​ ​been​ ​infected.​ ​But​ ​as​ ​we’ve​ ​seen​ ​in​ ​the​ ​case​ ​above,​ ​it​ ​only​ ​takes​ ​one​ ​open​ ​email attachment​ ​to​ ​compromise​ ​an​ ​entire​ ​system,​ ​including​ ​its​ ​cloud​ ​backups.

The​ ​CSE​ ​article​ ​gives​ ​recommendations​ ​on​ ​how​ ​government​ ​departments​ ​and​ ​agencies can​ ​avoid​ ​a​ ​ransomware​ ​strike.​ ​Even​ ​if​ ​every​ ​safety​ ​precaution​ ​offered​ ​by​ ​the​ ​CSE​ ​were​ ​in place​ ​before​ ​May’s​ ​WannaCry​ ​attack,​ ​they​ ​would​ ​not​ ​have​ ​been​ ​enough​ ​to​ ​protect​ ​against​ ​the virus.​ ​Canada​ ​was​ ​spared​ ​by​ ​luck​ ​alone.​ ​If​ ​a​ ​Canadian​ ​government​ ​employee​ ​opens​ ​the​ ​wrong attachment,​ ​he​ ​or​ ​she​ ​might​ ​inadvertently​ ​grant​ ​the​ ​virus​ ​access​ ​to​ ​the​ ​organisation’s​ ​cloud storage,​ ​encrypting​ ​all​ ​the​ ​files.​ ​This​ ​is​ ​what​ ​happened​ ​to​ ​the​ ​British​ ​National​ ​Health​ ​Service (NHS),​ ​preventing​ ​employees​ ​from​ ​accessing​ ​patient​ ​files​ ​when​ ​the​ ​NHS​ ​was​ ​attacked​ ​by WannaCry.

We​ ​are​ ​entering​ ​into​ ​a​ ​new​ ​age​ ​of​ ​friend​ ​and​ ​foe.​ ​We​ ​don’t​ ​always​ ​know​ ​who​ ​our enemies​ ​are.​ ​Sometimes,​ ​our​ ​attackers​ ​are​ ​infiltrating​ ​our​ ​systems​ ​unwittingly.​ ​The​ ​employee​ ​at Children​ ​in​ ​Film​ ​was​ ​an​ ​unwilling​ ​attack​ ​vector.​ ​There​ ​was​ ​no​ ​way​ ​for​ ​her​ ​to​ ​know​ ​that​ ​she​ ​was letting​ ​a​ ​worm​ ​into​ ​her​ ​company’s​ ​network.​ ​It​ ​was​ ​just​ ​a​ ​matter​ ​of​ ​chance​ ​that​ ​she​ ​opened​ ​a malicious​ ​email,​ ​and​ ​her​ ​contemporaries​ ​in​ ​other​ ​companies,​ ​or​ ​in​ ​the​ ​government,​ ​didn’t.​ ​The WannaCry​ ​attack​ ​in​ ​May​ ​2017,​ ​which​ ​infected​ ​almost​ ​a​ ​quarter​ ​million​ ​computers​ ​around​ ​the world,​ ​was​ ​not​ ​targeted​ ​at​ ​any​ ​particular​ ​government​ ​or​ ​organisation.​ ​This​ ​piece​ ​of​ ​ransomware was​ ​sent​ ​out​ ​en​ ​mass,​ ​waiting​ ​for​ ​someone​ ​to​ ​open​ ​the​ ​attachments​ ​in​ ​which​ ​it​ ​was​ ​hiding.​ ​Like drug​ ​smugglers​ ​who​ ​hide​ ​their​ ​merchandise​ ​in​ ​passengers’​ ​bags​ ​and​ ​coat​ ​pockets​ ​before​ ​they step​ ​onto​ ​a​ ​plane,​ ​hackers​ ​slip​ ​ransomware​ ​into​ ​file​ ​attachments​ ​and​ ​wait​ ​for​ ​someone​ ​to​ ​open them.

The​ ​world​ ​is​ ​witness​ ​to​ ​a​ ​new​ ​type​ ​of​ ​virtual​ ​crime,​ ​where​ ​information​ ​is​ ​the​ ​prime​ ​target and​ ​people’s​ ​privacy​ ​and​ ​integrity​ ​are​ ​the​ ​main​ ​casualties.​ ​Canada’s​ ​susceptibility​ ​to​ ​this​ ​new form​ ​of​ ​street​ ​crime​ ​goes​ ​much​ ​further​ ​than​ ​the​ ​loss​ ​of​ ​files.​ ​Anonymous​ ​hackers​ ​are​ ​possibly the​ ​greatest​ ​threat​ ​to​ ​the​ ​Canadian​ ​government​ ​today,​ ​because​ ​their​ ​knowledge​ ​and​ ​tools match​ ​those​ ​of​ ​the​ ​government.​ ​A​ ​small​ ​team​ ​of​ ​hackers​ ​can​ ​encrypt​ ​government​ ​information and​ ​compromise​ ​critical​ ​infrastructure​ ​such​ ​as​ ​dams​ ​or​ ​electric​ ​grids.​ ​They​ ​can​ ​release information​ ​on​ ​government​ ​employees​ ​and​ ​compromise​ ​anybody’s​ ​identity​ ​and​ ​personal security.​ ​There​ ​is​ ​only​ ​one​ ​way​ ​for​ ​the​ ​government​ ​to​ ​defend​ ​against​ ​such​ ​attacks.​ ​The Canadian​ ​government​ ​must​ ​incorporate​ ​private​ ​sector​ ​cyber​ ​security​ ​firms​ ​into​ ​its​ ​defence strategy.​ ​It​ ​needs​ ​to​ ​share​ ​information​ ​and​ ​allow​ ​ethical​ ​and​ ​responsible​ ​hackers​ ​to​ ​penetrate​ ​its systems.​ ​Integrity​ ​should​ ​be​ ​prioritised​ ​over​ ​privacy​ ​behind​ ​Canada’s​ ​most​ ​heavily-guarded door.​ ​Attacks​ ​against​ ​people’s​ ​integrity​ ​are​ ​more​ ​damaging,​ ​especially​ ​when​ ​their​ ​information can​ ​easily​ ​be​ ​altered​ ​by​ ​malicious​ ​actors.​ ​For​ ​the​ ​private​ ​sector​ ​to​ ​help​ ​the​ ​Canadian government,​ ​the​ ​government​ ​is​ ​going​ ​to​ ​have​ ​to​ ​be​ ​a​ ​little​ ​more​ ​open.

Mike Belyea is a computer programmer with a Master’s Degree in Public Policy and Public Administration.

Show Buttons
Hide Buttons