• Category: Articles
• Posted: 2021-06-21 10:26:18
• PERMALINK

Single Password Leak Leads to Colonial Pipeline Breach

The CEO of Colonial Pipeline, Joseph Blount, testified to a Senate committee that hackers had infiltrated their network using a single leaked password to gain access to a legacy VPN system. The hack resulted in a five day shutdown of the entire pipeline resulting in critical fuel shortages in the Southeast and a $4.4 million payment to the hackers. While the pipeline operation resumed, some financial systems were still down weeks later.

Despite a $200m investment over the last five years in upgrading their IT infrastructure, the Virtual Private Network (VPN) that provided outside access to the company's internal network had not been upgraded. With no two factor authentication in place, the compromised password was all that was needed to gain access. The password was confirmed to have been within a group of stolen passwords found on the dark web - although it was more likely an employee used the password on another account that ultimately was stolen. In addition, the VPN account was no longer used, but had not been deactivated.

While many ransomware attacks start through a phishing scheme where employees unwittingly invite hackers in through downloaded files or links to malware, this case represents both a failure by the company's IT team in properly protecting its network and what is likely evidence of social media's role in a new era of social engineering.

Having been the head of large IT departments, I understand that hardening an organization's systems is typically disruptive to the entire company and can result in a lot of pushback by the employees and even management. It can lead to a de-prioritization and delay of security projects while you try and find a "good time" to deploy the new system(s). The reality is, however, that a breach will be catastrophic to the company and delaying any system fortification is just asking for trouble.

Colonial Pipeline Company has $3.1 billion of assets with a net income of $420 million last year alone. Given its role in supporting the infrastructure in the Southeast United States and its wealth, they have a lot to lose. Their failure to replace an aging VPN system, along with systems that apparently didn't identify a breach nor the change in files, created the perfect storm. 

Two-factor authentication uses a conventional password in combination with a single use token or pin sent through text, email, or security token device. If it was in place at Colonial, the failure to provide the second single use key would have prevented access. Further, it likely would have tipped off the employee that someone was trying to use his/her account to access the VPN.

I also alluded to a social engineering aspect of this particular breach. The security company that is working with Colonial claims the leaked password did not originate from Colonial. Typically the passwords are part of a larger dataset stolen from another company or website and include enough information on the user to leverage for more sophisticated hacks. Perhaps the employee used his/her Colonial email address on the other (leaked) email account. However, consider the free flow of information we willingly participate in through reputable business network sites such as LinkedIn. 

Whereas hackers of old would use social engineering to learn intimate details of their intended victims and even dumpster dive if need be to retrieve key details, today's cyber villains can leverage our leaked/hacked personal information with the vast amount we eagerly share through LinkedIn and Facebook. As more and more information collects on the dark web, profiles are created so that when passwords are exposed, hackers will use every resource to see what doors those will open. 

Therefore, it is imperative that not only the company's IT team, but management in general, needs to be highly proactive on all matters of security. If your organization needs help in this area, I served as Director of IT and Chief Information Security Officer for a $3.5B company and can consult on security strategies and education. For more information, contact us at Traversi Media.

• Category: Development
• Posted: 2021-06-21 07:50:33
• PERMALINK

Just a Text File

Over the years years, I've attended a number of users conferences for different enterprise software programs. You can find out a lot about the applications and more importantly, the company behind it, by what types of sessions they offer. The ones that are more marketing and sales-oriented are likely to be all about increasing revenue whereas the ones focused on users and their challenges are clearly all about support.

While I saw both sides of that spectrum, in all cases I sought out the technology round tables. These round tables afford users the opportunity to discuss problems and wishlists with the individuals responsible for implementing product revisions. More importantly you can find out what challenges other customers are experiencing and how they are working through them.

What I found most interesting about all of these sessions were the variety of issues that would be pretty simple to rectify but remained on everyone's wish list.

In many of these cases, people would ask about a text file they needed to export to an accounting system or one they would need to import for reporting purposes. They could see the data within the application and instinctively knew it should be easy to get at, but year after year it remained a want. A lot of software companies are focused on the big items and keep shuffling off the little stuff to a later date. 

To be fair, many of these things apply just to a subset of customers and applying resources to such a small segment isn't practical. However, if a customer can save time or benefit to any degree as a result of this additional functionality there is value. 

We've done enough integrations between disparate systems that we can help in a number of areas. Either we can develop the process ourselves on your system or develop a spec and identify the process for implementing. Sometimes clarifying needs and resources is enough to start a conversation on the right foot. If we do the work, we can often do so in a few days.

If you would like more information on how we can help with the automation of processes, please contact us at Traversi Media.