In July, the Governor of Louisiana declared a state of emergency in response to a rash of cyberattacks against its schools. The declaration is the second one of its type since Colorado did the same last year.
On Tuesday last week, La. Gov. John Bel Edwards, still reeling from the aftermath of the attacks, said:
"While it’s school systems today, it could be any public or private entity tomorrow. This is really serious.” La. Gov. Edwards. Read more.
Now, the National Governors Association advises all states to:
"... develop response plans that put cyberattacks on the same level of severity as natural disasters or acts of physical terrorism." National Governors Association, more.
This, after Naples was the fourth city in Florida to report a breach and loss costing $700,000. According to the FBI, victims in Florida lost $83 million in 2018 to the same scam Naples suffered last week.
Sophisticated cyber-attacks against smaller, unprotected targets is a booming business.
Big companies and organizations, like the headline breaches of years past, are generally harder targets now. After years of attacks and regulatory pressures they require more resources and patience to attack successfully.
The public sector? They're slower to adapt and thus, easier to hack. As we heard last month from one of the three Florida cities that paid big-dollar ransoms:
“Every day I’m learning how this even operates because it just sounds so far fetched to me.” A Florida city council chair, more.
Lack of awareness and preparedness make bloody waters for cyber-predators using NSA-grade hacking tools today.
The public sector is expected to be transparent with issues affecting tax-payer money and public policy. When schools, municipalities, police departments, and others are hacked, it makes the news - at least on a local basis.
Attacks on small, private entities are rarely reported to the press, and it happens far more than most understand.
Cyber-syndicates are building "as-a-service" platforms to scale their growth and pump massive illegal profits.
The operators provide subscribers, or "affiliates" the tools they need for cyber-attacks and split the spoils 60/40 with the syndicate. No resume' or experience required, and no technical expertise or capital outlay needed.
Anyone with a computer browser can subscribe. See the Fox News story "Ransomware is a 'best seller' on underground hacker forums" below.
In Baltimore's case, the mayor blaming the NSA for developing the tools being used by criminals after a New York Times report that the ransomware used an exploit developed by the National Security Agency to spread across the city's network.
The planet's #1 cyber-sleuth is Brian Krebs. Nobody disputes that. Many cyber-actors from around the world wish he wasn't around at all.
This month, Krebs shared some deep looks into cyber activity in the U.S. and how the criminal infrastructure is being built to scale for criminal profits around the world.
First up, the state of ransomware:
"The cybercriminals behind the ransomware-as-a-service offering recently announced they were closing up shop and retiring after having allegedly earned more than $2 billion in extortion payments from victims." Krebs
Retiring on $2 billion? Tax-free? Not a bad gig.
Oh, wait. It turns out the cybercrime biz is too good to quit, so now it seems:
"... the criminal team have instead (of retiring) quietly regrouped behind a more exclusive and advanced ransomware programs ..." Krebs
In another report, from Wired magazine on August 1st, three Ukrainians were shut down after earning upwards of $1 billion. More; "The Inner Workings of a Billion-Dollar Hacking Group."
Yes, it's a pattern. Cybercriminals are more ambitious and thinking bigger than ever. Suddenly, uber-wealth status is in reach for anyone with an internet connection and some imagination.
According to Krebs' intelligence, cybercrime-as-service is so profitable that operators are now advertising on the Dark Web for affiliates to partner in their growth and fortune. For more about "Party Like a Russian" see below.
Krebs discovered a video clip on the Dark Web advertising a ransomware-as-a-service platform. The ad, produced by a criminal syndicate operating a cybercrime-as-a-service business, is marketing to would-be hacker millionaire wannabes.
The video ad promises to equip "affiliates" with all they need to begin mouse-clicking their way toward living their best dreams today and retiring rich tomorrow.
I'm not linking the video here because it's disgusting. But it's on Krebs' site (it's his job to post this stuff.)
The point is this - these guys going big in cybercrime know their market. The aim of their advertising video is to target prospective new affiliates that:
" ... that mostly views America’s financial system as one giant ATM that never seems to run out of cash." Krebs
The ad for criminal affiliates hits all the notes for one that feels they are due a better life and sees the U.S. as a boundless ATM for retribution.
The nature of digital crime is free from many of the obstacles and limitations held by traditional crime. Professional perpetrators know how to exploit the strength of their digital (virtual) operation against weaknesses in tax and law enforcement authorities built around conventional (physical) systems.
"Bulletproof hosting administrators operating from within Russia probably are not going to get taken down or arrested, provided they remain within that country (or perhaps within the confines of the former republics of the Soviet Union)." Krebs
In the "bulletproof" domain, subpoenas and complaints don't matter.
Cybercrime, for more and more around the world, is the fastest, easiest path to great riches and a better life.
And for the growing ranks of aspiring black-hats everywhere, the U.S. is target #1.
The bad guys are looking for the most unaware and unprepared targets - and today, that's people, their technology and information, their email, banking, and investment accounts.
How long will it take before the risk/reward equation for cybercrime finds its clearing point? And how much will it cost before we are resilient enough to level the field?
Reports say it will be years and trillions in dollars, and it represents the greatest transfer of wealth ever.
It is likely a cybercriminal will rank in the Forbes wealthiest list by 2023. It won't be by hacking Home Depot or Target. It will be on the backs of hordes of slow-to-adapt individuals and small entities everywhere.
But, mostly from the U.S.
Criminal actors from around the world are increasingly focusing on low-hanging fruit. They're attacks are "opportunistic" - aiming for small targets, unaware, unprepared - and potentially lucrative when faced against military-grade hacking tools.
The risk is manageable. But certain changes are invariably required sooner or later. We call them "The Four Fundamentals of Cybersecurity for Life."
The Four Fundamentals approach essentially builds an eco-system for considerably more privacy and much less cyber-risk for all you do.
The #1 best way to start is by privatizing your personal email.
Every loss we mentioned in the first section of this letter started with an email. Almost 90% of all successful cyber-attacks start with an email.
In July a grand jury in California said it's not so much "fake news" and disinformation that is risking our elections - it's our damn email accounts!
Krebs wrote about the grand jury's report and called email "unsexy." I know exactly what he means - people could care less about their email accounts. Fact is though that nothing works better to reduce risk and increase digital autonomy. And, importantly, to begin the process of owning more of your personal information (vs Big Tech and your email provider.)
Also in July, Barracuda Networks released their annual report Security Trends for 2019. In the report they conclude; "Email attacks: A fact of life." and that email is likely to remain the top vector for cyberthreats. Get the report here.
Private email is a game-changer. It's affordable, simple, and very secure.
Brad Deflin returns for the 5th consecutive year to speak on "Cybersecurity fro Life" with Sovereign Society members and investors at the Total Wealth Symposium in Amelia Island this September. See Cybersecurity Education Calendar, here.
It will be Milwaukee in December for "Cybersecurity for Life - how to protect in a new age of risk." with the Wisconsin YPO Gold Chapter at The Lubar Entrepreneur Center, UW Milwaukee. More.
"Nearly a third of top VPNs are secretly owned by Chinese companies, while other owners are based in countries with weak or no privacy laws, potentially putting users at risk, security researchers warn." More.
DHS Warns Small Airplanes Vulnerable to Flight Data Manipulation Attacks via @TheHackersNews here.
Last couple of months show trends including "The Strong-arm Hack." As usual, email is the source, so here's an email checker tool too. More.
Go private! Over 80% of cybercrime originates with an email.