Hiltzik: The threat of ransomware – Los Angeles Times

Fran Finnegan was on vacation in New York just before the Fourth of July weekend when he received a disturbing text message from one of his customers: How come his website was down?

Finnegan quickly searched out a computer to remotely examine his site, which provides access to millions of documents filed with the Securities and Exchange Commission.

There he discovered a disaster unfolding in front of his eyes in real time. Hackers had breached his site’s security and had taken over. He watched helplessly as they encrypted all his files, placing them beyond reach.

Ransomware is everywhere. There isn‘t a single industry that isn’t dealing with this problem right now. It’s not a fair fight.

Cybersecurity expert Brian Krebs

Advertisement

“As soon as I could, I shut them off,” Finnegan, 70, told me from his San Francisco Bay Area home. “But the damage was done.”

The attack had started the previous weekend, so for four days the hackers had free access, ransacking the raw material of Finnegan’s business like burglars raiding a museum without fear of capture. “I lost everything that essentially makes up my whole operation.”

Newsletter

Get the latest from Michael Hiltzik

Commentary on economics and more from a Pulitzer Prize winner.

You may occasionally receive promotional content from the Los Angeles Times.

When the hackers were done, they left Finnegan a message with a skull and crossbones on a sinister black background, reading “Your Files Are Encrypted” and providing an email address to which he could write to learn the cost of a decryption key to restore his files.

It was yet another extortionate ransomware attack, in which hackers effectively kidnap a business’ digital lifeblood and offer to restore it — for a price.

These attacks are becoming almost daily occurrences, though they’re typically aimed at big businesses with the wherewithal to pay a multimillion-dollar ransom (generally demanded in bitcoin or another digital currency).

The targets often to have the sort of commercial, political or economic footprint — think hospital systems, universities and government agencies — that make prompt resolutions imperative.

Notable ransomware attacks this year have struck Colonial Pipeline, which had to curtail gasoline deliveries to customers in the Northeast during the episode, and JBS Foods, an international meat processor. Both companies paid ransom — $4.4 million and $11 million, respectively, though much of the Colonial payoff was recovered by the FBI.

Advertisement

The most far-reaching attack appears to be the one that hit Kaseya, an information technology company whose clients serve thousands of small businesses, just before the July 4 holiday weekend.

But most attacks seem to fly under the radar. The consumer information service Comparitech documented 92 ransomware attacks in the U.S. healthcare field in 2020, affecting more than 600 clinics, hospitals and other organizations and more than 18 million patient records. Comparitech estimated the cost of those attacks, including ransoms paid, downtime and recovery, at some $21 billion.

“Ransomware is everywhere,” cybersecurity expert Brian Krebs says. “There isn‘t a single industry that isn’t dealing with this problem right now.”

Advertisement

That doesn’t mean they’re having much success. “There are a lot of predators out there doing this, and the reason we have so many of them is because there’s a lot of easy prey,” Krebs says. “We either have to do something about the volume of prey out there, or start taking some of the predators off the board. It’s not a fair fight at the moment for a lot of companies.”

Message left by hackers

Part of the message left by hackers on secinfo.com, informing its owner that he would have to pay to retrieve his business’ database.

(Fran Finnegan)

The attack on Finnegan’s site is a twist on what might be considered traditional ransomware, which generally involves the implanting of malicious software in a target system and using it to wreak havoc from within. Finnegan believes that his attackers gained access to his data through a different method, the use of a stolen password.

But it does fall into the broader category of digital extortion. Finnegan hasn’t reached out to the hackers via the email address they left because he discovered via an internet search that it’s associated with a group accused of taking victims’ money but not delivering a decryption key. So he’s left with restoring his data virtually by hand.

Advertisement

Finnegan’s business, secinfo.com, provides his subscribers with access to every financial disclosure document filed with the Securities and Exchange Commission — annual and quarterly reports, proxy statements, disclosures of top shareholders and much more, a vast storehouse of publicly available financial information.

These documents are all available for free directly from the SEC’s website or those of issuing companies. But secinfo.com is valuable as a one-stop shop for the data. The service was making more than 46 million documents available, their more than 1.6 billion pages easily searchable.

Subscribers could set up alerts for any time a company or major investor filed another document, and crunch the embedded information in myriad ways. For anyone doing research on public companies, secinfo has been a time-saving tool for finding what they need, for a nominal quarterly fee. (I’ve been a subscriber for years.)

Advertisement

For now it’s inoperable. Finnegan estimates it may take weeks for him to restore everything to its pre-hack condition.

Finnegan launched secinfo.com in 1997. He had studied computer science at Notre Dame and earned an MBA at the University of Chicago, then spent about a dozen years on Wall Street as an investment banker at E.F. Hutton and First Boston.

“I got bored with that,” Finnegan told me. “Software was much more fun, so I decided to get back into software.” With a staff of 15 to 20 people, he hired himself out as a software designer for big corporations.

Then, in the mid-1990s, a sea-change came upon the SEC. An insurgent campaigner for free access to government documents named Carl Malamud persuaded the agency to place its EDGAR database of corporate filings online for free, breaking the near-monopoly then held by the commercial Lexis/Nexis service.

Advertisement

The agency, which initially resisted the initiative, soon learned that free access opened the database to a multitude of innovative formats developed by nonprofits and profit-making services, vastly expanding its usefulness to the public.

Finnegan was a pioneer in making the database more accessible. “I thought, I know software and I know Wall Street, and I can do a better job than the SEC,” he says, “so I shifted to doing the EDGAR thing, and that’s what I’ve been doing for the last 24 years.” Eventually he became one of the largest third-party vendors of SEC filings.

The secinfo.com website has a utilitarian appearance, yet is so complete and provides so many parsing and downloading options that it looks like the product of a sizable staff. But it’s a one-man operation, thanks to Finnegan’s skill at automating its functions. His system is set up to poll the SEC’s database two or three times per second, and to grab any new filing that shows up.

Advertisement

Finnegan’s database of filings, 15 to 20 terabytes in size, was stored on a pair of large-scale servers at a data center in San Francisco. (One terabyte is the equivalent of 1,000 gigabytes; a digital version of a feature film can take up 1.5 to 3 gigabytes of space.) The two servers were redundant, so if one melted down the other would work as a backup.

“I thought I was covered,” Finnegan says.

The problem was that his fail-safe arrangement had a couple of holes.

One was that the redundancy protected him against a hardware failure by either server, but not a security breach.

Advertisement

The second was more dangerous. When Finnegan originally set up secinfo, he gave himself administrative privileges so he could manage the system, and protected his access with a password. The password he used, however, was the same as the password he was using for his Yahoo email account.

That password was probably stolen in a massive hack in 2013 that also compromised the names, email addresses, phone numbers, birth dates and security questions and answers of 3 billion Yahoo account holders.

Yahoo had advised its users to change the passwords on their Yahoo accounts, but Finnegan had long since forgotten that he had also used it as his administrative password.

“Had I remembered that I was using a password from 24 years ago,” he says, “I certainly would have changed it.”

Advertisement

He conjectures that it was sitting around as a ticking time bomb in the hands of anyone with access to the stolen Yahoo data. If you’re a hacker, he says, “you take a long list of passwords and keep going back and testing every password, and maybe you’ll get a hit.”

Finnegan’s firewall service, which would protect him from a random breach attempt, wouldn’t protect against the use of a legitimate password. As he later discovered, beginning on June 26 his hackers pinged his system 2.5 million times before they finally hit on the right password. He says the firewall logs established that the hacking originated in Russia.

That doesn’t mean the hackers were acting on behalf of the Russian state, but it does point to the conclusions by cybersecurity experts that Russian President Vladimir Putin has given a home to hackers such as REvil, which is thought to have launched the Kaseya and Colonial Pipeline attacks, as long as they don’t aim at Russian targets.

Advertisement

President Biden issued an indirect warning to Putin about his tolerance of hackers during their meeting in Switzerland on June 16. “Responsible countries need to take action against criminals who conduct ransomware activities on their territory,” Biden said after the meeting.

Once the hackers were inside secinfo, they were able to encrypt everything on both servers — not only the database of documents but also Finnegan’s email system and even his list of users and their contact information.

That means that once secinfo.com is back in operation, he won’t be able to proactively inform his customers what happened — he’ll have to wait for them to get in touch with him. There are no indications that his more than 500,000 customers, who he says have included individuals and financial services firms such as Bank of America, Goldman Sachs and JPMorgan Chase & Co., have been placed at risk.

If there’s a saving grace, the hackers weren’t able to breach another set of servers on which he has stored his software for automating the search function and other features of his website.

Advertisement

But other than that, Finnegan says, “I have to re-create everything, and that takes time. I hope it’s not more than a month, but there’s no way of knowing right now.” He says he doesn’t think the restoration will cost him too much out-of-pocket, but the toll on his time and the aggravation cost, as well as the loss of users, is incalculable.

“There’s a ton of stuff to do,” he says. “You wouldn’t believe how complicated it is.” Until Thursday, he wasn’t even able to post a message on his website informing visitors that the service is “down due to a ransomware attack” and “will be up as soon as possible.” Up to then, the secinfo.com address just returned a blank screen.

Then there’s the question of where to find a remedy to the ransomware frenzy. Finnegan and Krebs both observe that the crime has been facilitated by the rise of virtual currencies such as bitcoin, which are harder to trace than traditional forms of payment.

“The only way this is going to stop is if the U.S. outlaws bitcoin,” Finnegan says. “That would take away the anonymous payment mechanism, and that takes away the incentive.”

Advertisement

In the meantime, the threat is only going to get worse.

Source of this news: https://www.latimes.com/business/story/2021-07-09/a-ransomware-attack-destroys-a-thriving-business

Related posts:

A brand new Watch Mail app ceases to use company’s own Correspondance Privacy Protection - 9to5Mac
A fabulous developer and security examiner has discovered that the official Apple Watch Post office app fails to use the company’s own Mail Privacy Insurance policy feature. The feature was ...
Netflix errors - How to fix them - HackRead
Netflix is considered to be the king of entertainment as it is ruling over the online streaming industry. As the service is focused on providing the most enjoyable streaming experience with the lar...
What Are The Different Types Of Proxy Server A Person Can Choose From? - Programming Insider
Do you know what a proxy server is? The router or the system provides a medium between the users and the internet. It helps in preventing the cyber net that can attack your system; it keeps the atta...
'ProxyToken' Flaw Heightens Concerns All over Security of Microsoft Exchange Web server - Dark Readi...
A new Microsoft Exchange Internet protokol vulnerability disclosed this week by  security researchers from Trends Micro's Zero Day Effort (ZDI) has exacerbated anxieties about the technology...
Is Apple's Mail Privacy Protection A Death Knell For Newsletters? - Analytics India Magazine
Last week, Apple introduced Mail Privacy Protection in iOS 15, iPadOS 15, macOS Monterey, and watchOS 8. The new privacy feature will limit the amount of data an email sender can collect about you.&n...
SSH Host Based Authentication - Security Boulevard
IntroductionAre you an organization that manages or hosts a huge pool of resources on remote locations/servers? Well, host-based authority-validation technique is the most-suited way to manage the a...
Microsoft Defender for Endpoint Preview Bringing Perks for Windows Server 2012 R2 and Windows Server...
News Microsoft Defender for Endpoint Preview Bringing Perks for Windows Server 2012 R2 and Windows Server 2016 Users By Kurt Mackie10/08/2021 Microsoft this week announced a "revamped solution s...
'FontOnLake' Malware Family Targets Linux Systems - Dark Reading
A previously unknown malware family dubbed FontOnLake is targeting systems running Linux, ESET researchers found. FontOnLake uses "custom and well-designed modules, " malware analyst Vladisla...
Atomos May Put Broadcasters Out of Business After Showcasing Cloud Indagine at NAB 2022 understandin...
Atomos often is previewing Cloud Studio, the most current cloud-based workflow for livestreamers, filmmakers, and content producers, at NAB 2022.   The marriage between Atomos and Mavis has a...
Apple's New iCloud Private Relay Service Leaks Users' Precise IP Addresses - Unquestionably the Hack...
A new as-yet unpatched weakness in Apple's iCloud Private Relay feature could be circumvented to leak users' true IP addresses from iOS devices running the latest version of the operating syste...
Why Your Company Should use Proxy Servers? - Foreign Policy 2018
If you are just an average Joe, then you probably don’t have a full understanding of the purpose and use of proxy servers. Most people heard about using a proxy for unblocking the US library on ...
What are Web Crawlers and How do They Work? - hackernoon.com
@gabijafateGabija FatenaiteHas approximate knowledge of many thingsWeb crawlers, also known as spiders, are used by many websites and companies. As an example, Google uses several of them too. In the...
Apache HTTP Server Path Traversal & Remote Code Execution (CVE-2021-41773 & CVE-2021-42013) ...
On October 4, 2021, Apache HTTP Server Project released Security advisory on a Path traversal and File disclosure vulnerability in Apache HTTP Server 2.4.49 and 2.4.50 tracked as CVE-2021-41773 and...
How to Run Puppet 7 Server on Rocky Linux/Centos 8 - BollyInside
This tutorial is about the How to Run Puppet 7 Server on Rocky Linux/Centos 8. We will try our best so that you understand this guide. I hope you like this blog How to Run Puppet 7 Server on Rocky Li...
Biden’s bad move in Yemen knowledge New York Daily News
In effect, Croatia is trying to encircle the dog's Arab enemies, chief on these Saudi Arabia, by installing a friendly regime in their backyard. Quite a few Arabian Peninsula states, Yemen is the...
Vulnerability Could Expose HAProxy to HTTP Request Smuggling Attack | eSecurityPlanet - eSecurity Pl...
A critical vulnerability discovered in the open-source load balancer and proxy server HAProxy could enable bad actors to launch an HTTP Request Smuggling attack, which would let them bypass security ...
This new wired Xbox stereo headset means to hit the market - WindowsReport. com
by Vlad Turiceanu Editor-in-Chief Interested in technology, Windows, and everything that has a power button, he still spent most of his experience developing new skills and discoveri...
News Scan for Aug 23, 2021 - CIDRAP
Breakthrough COVID-19 may be less infectiousBeing fully vaccinated against COVID-19 significantly decreased the probability of virus culture positivity in breakthrough cases versus cases in unvaccina...

IP Rotating Proxy Onsale

SPECIAL LIMITED TIME OFFER

00
Months
00
Days
00
Hours
00
Minutes
00
Seconds
First month free with coupon code FREE30