Above: Illustration by Peshkova/DepositPhotos

BitDepth#1274 for November 05, 2020

Over the past fortnight, the reality of the threat to Internet connected computer systems came home vividly to Trinidad and Tobago, at the very least, to the business sector.

In short order, it became clear that in addition to the ANSA McAl ransomware attack, the Port-of-Spain City Corporation had been hit by an even more devastating cyberattack.

I’ve been able to confirm an earlier ransomware hack on another local company in June, but representatives declined to discuss or even officially acknowledge the incident.

For much of this century, TT has managed its growing online presence with a mix of “God is a Trini” optimism and a belief that our online footprint is too small to attract attention.
This is manifestly not true, though I cannot speak for any deity’s national ID.

For the last six years, I’ve run a small online news website dedicated to technology here, TechNewsTT.com.

From the start, I installed defensive software for the WordPress platform it runs on, initially as a prophylactic measure.
Over the last year, I’ve been tightening up on protocols as attacks on the site have surged.

In October alone, defensive software blocked 84 attempts to log into my site from Pakistan and 75 from the Czech Republic. These dictionary attacks – which use words from a list of common passwords – look for sites that use either the default ‘admin’ user or the domain as a username.

In July, a rash of SQL injections – efforts at adding malicious code to the website’s database engine – were blocked.
Panama launched 144 of those attacks, and Indonesia contributed 98. I’ve also had bad actors from Vietnam, the Phillipines, Netherlands, India and Switzerland come knocking.

Cybercrime isn’t just a Russian thing, it’s a global issue and the challenges are equally vast.

TechNewsTT is a superniche in this country, a blip in the wider Internet, barely noticeable by traffic, but hackers don’t care about that, they care about vulnerabilities.

This country has dragged its feet with a neanderthal’s grace for much of the decade on the critical legislation required to empower legal responses to a threat that’s no longer growing, it is in full bloom.

The pronounced reluctance of local businesses to acknowledge, far less discuss computer breaches is understandable. It is also legal.

Under GDPR or HIPAA law, companies are required, in Europe and the US respectively, to declare the impact and scope of breaches and inform customers of potential public exposure of sensitive personal information.

The TT Data Protection act includes these requirements, but it is not fully proclaimed.
Reporting cybercrimes is not required under either law, and it’s estimated that internationally, less than 28 per cent of these crimes are reported to police.

The pointlessness of doing so locally is even more pronounced when the State is so ill-equipped to respond to these crimes.
The TT Cybersecurity Incident Response Team (TTCSIRT) has existed since 2015, the result of a collaboration between the OAS and the ITU to fund the establishment of such agencies regionally.

Five years later, the agency is dramatically under-resourced and the legislation it is supposed to enforce is a shambles of piecemeal proclamation.
Policy limped ahead of practice, creating a sham of enforceability.

The TTPS Cybercrime Unit talks a tough game, but even its most digital basic forensic capacity is routinely gutted when trained officers leave for better jobs.

If the police show up to investigate a major ransomware hack, they won’t just lack body armor, digitally speaking, they might have arrived without pants.

How ransomware works

Software designed to take control of a company’s server systems and data store is introduced to computers, most commonly through phishing, spam emails sent that look official and invite users to click on a link, which brings the software into the computer system.

The software is designed to seek ways to get more access to the system. Some will log key strokes and use the input to get deeper into the computer’s hierarchy of security.

When data stores are located, they may be transferred to another location, but they are always encrypted locally, denying access to legitimate users.

Powerful encryption is used, which make it impossible to access the data without paying for decryption keys to access the files.
Recent versions of ransomware make companies pay for access to data as well as levying an additional fee to destroy captured information.

The best way to combat a ransomware attack is to perform regular full backups of your servers, have the latest and latest upated antivirus and anti-malware software.

Pro tips

Andre Thompson, a systems engineer at the University of the West Indies, St Augustine, shared this advice to network administrators and users managing Internet connected home networks on the TT Computer Society mailing list recently…

The best way to combat a ransomware attack is to perform regular full backups of your servers, have update antivirus and anti-malware software on all users’ PCs and servers.

When there is an attack you wipe the servers and restore from the latest known good backup. Virtualization of servers are one of the best ways to implement such a strategy employing a basic technique such as snapshots.

To further mitigate attacks, do not have your server admins surfing the Internet on the servers. Servers are not made for that purpose and makes it vulnerable to attacks.

While it is not always feasible, limit or remove Internet access on the servers. Updates can be downloaded on a PC, copied across and applied to the servers.

End users and even admins should be logging on with non-admin accounts and only if there is a software or hardware change would the admin access be required.