From losing to keeping control?

On 25-6-2017 a global cyber attack took place. Several private companies all around the world have confirmed that they were struck by the attack, among many more: the American pharmaceutical giant Merck, food company Mondelez International, the Danish shipping company AP Moller-Maersk, including their dependance in the Dutch port Rotterdam, the British advertising firm WPP, the French multinational Saint-Gobain, a unit of the bank BNP Paribas, the Russian steel and mining company Evraz and the energy company Rosneft, Ukraine's International Boryspil Airport in Kyivand and the Chernobyl nuclear power plant, which had to switch to manual radiation monitoring.

The software responsible for the attack is called "Peyta". Peyta reminds us of WannaCry. For those who can't remember: Just a few weeks earlier, the WannaCry attack affected over 300,000 computers globally, making files unaccessible and demanding $300 in Bitcoins to unlock the data.

Like WannaCry, Petya is based on "EternalBlue", a tool to exploit a Windows vulnerability. According to several security experts, including  Edward Snowden, EternalBlue is developed by the NSA (National Security Agency). The NSA’s hacking team lost control of its tools, and last August, a group calling themselves the Shadow Brokers, announced that it had access to those tools. Petya however is more sophisticated and more dangerous than WannaCry and the malware cannot actually revert its changes and unlock the data. McAfee Enterprise claims Petya also introduces a few more spreading mechanisms to affect other machines.

The question arises, who wants to attack complete energy companies, the power grid, hospitals, bus stations, gas stations, the airport, banks, supermarkets etc? Security researchers, hackers and law enforcement know, if the hack is done well, it's almost impossible to determine who the hackers are. Embedding false traces is not too difficult. The secret services of more than hundred countries use digital weapons to spy and influence political processes all over the world. A cyber attack can easily be part of a broader intelligence operation. Better don't jump into conclusions before the proofs are indisputable.

Cyber attacks like Petya, costing relatively little effort, mean a huge multilevel impact can be reached. You have the affected persons and organizations, unable to do business as usual and forced to spend effort and money to solve the problem. And you have the political and psychological effect: the attacks create fear, uncertainty and doubt.

Lots of sites give information about how to protect in practice your (Windows) computers against WannaCry and Peyta and Microsoft has provided a guide. Also a robust back-up strategy, network segmentation and air gapping are part of the defense. To invest in knowledge and skills and to collaborate between stakeholders are also always part of the strategy. Dijkhof, the Dutch Minister of State under resignation, recently did send a report (Cybersecuritybeeld Nederland 2017) to the parliament emphasizing these aspects. It is known that the 'digital defensibility' in the Netherlands, although growing, stays behind the growth of the threats. The more bureaucratic an organization is, the higher chance it won’t  have updated its software and installed the patches at the time these patches were available. The report also promotes the idea of a 'Dutch cyber defense unit' and identifies the risk of being too dependent of a small amount of foreign providers of infrastructural services.

It is not known yet if and how the recommendations in the report will be  implemented, but even if so, it's probably too little and some urgent questions remain.

Why:

  • ..the Dutch government insist on keeping promoting and buying platforms which are not transparent and vulnerable to such devastating malware?
  • ..the Dutch government does not quest for independence and moves away from NSA/CIA-weaponised US proprietary software?
  • ..do many of the IT accountability processes focus on the wrong variables?     

What if:

  • ..a government concealed knowledge of vulnerabilities in such software as Windows?
  • ..a government uses concealed knowledge of vulnerabilities in such software as Windows for their own political purposes?
  • ..a government is not able to protect such concealed vulnerabilities from being found? By enemies?
  • ..security agencies like the NSA refuse to help to defend against the weapons it created?

We as public can press our government, ask questions, and -most important- create independently the tools for software control by end-user/end-user organizations. That is the only path towards controlling and processing our data.

See also our blog Access Granted informing about how Odoo and (partly) the Odoo community approach "security" and try to be part of the solution.