Juha Saarinen: Mega hacks can cause serious hurt

Cyber attacks can affect more than just the target system. Photo / 123RF

OPINION:

It wouldn't be the dying days of 2020 without a stunning hack attack that saw security experts, the armed forces and many corporate information officers go pale and cancel any pandemic holiday plans they might have had.

I should say attacks, because new information points to the SolarWinds supply-chain hack being more than just an update being subverted into malware, and installed by some 18,000 customers.

Experts are still digging into the attack, with Microsoft finding what appears to be a second group of hackers, possibly not Russians this time, also dropping the SUPERNOVA malware on SolarWinds update servers that sat there undetected for months.

Microsoft was itself breached with the SUNBURST (you have to have catchy names in all caps for malware and hacking groups, or it's not proper infosec) malware that kicked off the recent hullabaloo, although it doesn't appear to have caused any damage.

Apart from Microsoft, Cisco was hit too along with security vendor FireEye which, to its credit, published a full post mortem of the incident, along with identifiers for penetration testing code that the attackers are believed to have taken.

Vulnerabilities in a range of enterprise software were exploited and used with devastating effect by the attackers. What made the attacks possible?

Having looked at a range of single line of code exploits this year, for example, it's impossible not to agree with former Facebook security chief Alex Stamos' mea culpa, that "the overall security quality of enterprise IT products is terrible".

Enterprise IT products can be terrible to the point that using the word "sophisticated" to describe the attacks, whether in its old or new meaning, feels wrong. Patches to fix security issues come out regularly, but they're often not applied because it's hard to test them for bugs that could crash production systems.

That's understandable because what do you do here as an admin? Order another box costing tens or hundreds of thousands of dollars to test on before rolling out the patch on your production environment? That'd burst your IT budget.

As a security industry person pointed out, while the gaping software and hardware security holes might be simple and facepalm worthy, the art lies in exploiting the right ones.

Some people who have learnt that art "owned" several United States government agencies, including the National Nuclear Security Administration, parts of The Pentagon and ironically, the Cyber and Infrastructure Security Agency, hard and thoroughly.

Because IT is so embedded in everything here, it's important to understand that the damage hack attacks do often go beyond individual victims.

Data breaches, ransomware, and disruption to services are bad enough. Attackers can damage entire industry sectors and societies by making people lose faith in the systems they're supposed to rely on.

It's become a real concern that needs to be addressed with urgency. The International Monetary Fund noted how cyber attacks could destabilise financial stability around the world in research published earlier this month.

Loss of confidence after the Equifax credit reporting company suffered a massive data breach in 2017 spread to competitors TransUnion and Experian, both of which saw their share prices take large hits.

The distributed denial of service attacks on NZX led to trading halts, sparked by concerns over market integrity, IMF said. This despite the NZX trading systems being technically operational.

Financial institutions and banks are very much in the crosshairs of attackers, and the IMF noted that if there are attacks that prevent depositors and traders from accessing their funds and using the systems, they might demand their money back. Or, cancel their accounts and subscriptions.

Liquidity crises could be brought on by locking otherwise healthy organisations out of their funds by attacking interlinked payments systems as well, IMF said.

Even if there was no hack, there could be false rumours spread that cyber attacks have somehow tainted the integrity of transaction data, and there would be no easy way to verify that for most people.

When you look at the above you can kind of see why Trump and his Republican supporters are having a go at voting machines. The claims are baseless (and can be debunked) but once people start losing confidence in important technology, the damage can be horrific. For an enemy of the United States, undermining trust in democracy this way is one hell of a win.

And that's something we need to think hard about for 2021, with much better reaction times and information sharing than there is currently, and fewer animated GIFs posted on social media. Perhaps the ongoing SolarWinds saga will be the necessary wake-up call before something really bad happens again, but past experience suggests we'll head into next year still asleep at the wheel, unfortunately.