Season 1 Episode 41: What Happened After 3 Small Business Ransomware Attacks
In this episode:
We kick off episode 41 with a news story about TrueDialog, an SMS service used by colleges and universities that exposed the sensitive data of millions online, by storing private data unencrypted
Ruthy: First off, we’re talking about the TrueDialogue breach, which is something regarding SMS text messages getting hacked and a bunch of data getting thrown out into the atmosphere. I want you to fill me in on what exactly happened there.
We’re also going to be talking more about ransomware, and how small businesses who have been affected by ransomware breaches can recover from that. I wanted to know what you have seen yourself running your own company as a tech “guru” for other small businesses, and also what you’ve seen other businesses do when they did have a ransomware attack. How did they recovered from the attack?
And then lastly, for Tech Gadget, this is one of my favorite topics as it’s something I have been personally using; it’s the grayscale mode on your phone, and it might help curb some phone addiction. So I’m curious to hear your thoughts about that.
Tech News: TrueDialog Data Exposed (and how small business owners can avoid something similar)
Let’s talk about this article that I found the other day on TechCrunch, where millions of SMS text messages were exposed from a database run by a company called TrueDialogue.
So, Tim, can you fill me in a little bit about this breach? Who are TrueDialogue, and how did this happen?
Tim: Yeah, this was a very messy breach. And thank you for finding this for us. I hadn’t even seen it, it came out just in the last few days.
As a reminder, SMS messaging is the regular text messaging that you do on your phone. It stands for “simple messaging protocol” or “standard messaging protocol”, and it’s very open by design. There’s no encryption, there’s no security, there’s no nothing. It just sends out a text, and the other side receives it.
Actually, it sends that blurb of text to a server at the cell phone provider, and it hits their servers, and then they send it back out to you. So if I’m sending you a text, it goes to the Verizon server, and then gets sent out to you wherever you are.
Schools and colleges and universities are the big users of an outfit like TrueDialogue. This is a company that sells a service where, if you’ve got 10,000 students in your college, you can send out a single text message that will hit all 10,000 students’ cell phones at the same time.
Companies also will use it as a way to send out text messages to their customers, “We have a special on this”, or, “We have a special on that”. “Please go here to download this coupon”, whatever it might be.
It’s kind of like mass emailing that a company might do, but it’s all in text.
And this TrueDialogue company, ridiculously, had all of their stuff just sitting there where it was wide open and with no password. So, if you could figure out where their server was which, by the way, is real easy to do, yu can just do a DNS lookup and you can find out the actual IP address of the server for thisTrueDialogue.
So, if you wanted to, you could just go out and connect to the database. And the data wasn’t encrypted, either! So there’s no password, un-encrypted, on their server, just sitting there.
The irresponsibility on their side. I mean, frankly, they have no right to be in this particular business.
I was not able to do any real research to see who their competitors are, ‘cause if there’s no competitors, then that’s a wide open market cause these guys frankly don’t deserve to be in business.
I don’t want to go that direction because anybody can be breached. And you know, it happens even when you can have really good stuff in place. But this wasn’t a company that was the target of attack. This was a company actually taking your information and leaving it on a front porch.
This server was holding information like social security numbers. It had a lot of two-factor identification back and forth. They also would use it for one-on-one communication. So if you were a student, you could text the tech services team and say something like, “I can’t get on the network right now. Can you send me my password”? And the tech services team would use this TrueDialogue to communicate.
It wasn’t some guy using his cell phone in the IT department at the college. Instead, the teach team at the college would use this service as the front end to respond to your inquiries. So passwords, two factor identification codes, all these things are in there, with email addresses and so forth attached.
This is just utterly irresponsible.
Ruthy: I know that you trust nobody. I’m learning from you, right? Because I’m too trusting and you trust nobody. But when something like this happens, it does make you kind of wonder about what would be the thought process behind setting up a service like that.
I mean, you would have to have some sort of technological know-how to set it up in the first place. So there was some sort of willful effort that goes into not encrypting and not making it even password protected.
You know, a lot of what happens with security breaches is that there are holes in security that nearly no one knows about. It’s not usually because someone willfully left something wide open. It’s because you thought you buttoned your whole house down, but it turns out there is still one way in. If you go over next to the dryer vent, you can reach a hanger in there and get access, that sort of thing. I mean, that’s how minor some of this stuff is.
It doesn’t mean the bad guys won’t try to get into your house via the dryer, right? But you put in preventative and recovery measures in place, to mitigate the chance of that sort of thing happening.
This is very different. This is a situation where they just left everything wide open and sat back and collected the money, man. Saying, “We’re getting money off every text message, so just bring in the dough. We’ll deal with security fall-outs later.”
Ruthy: So if you are a small business, or if you are a college or something like that, using a company like TrueDialog, what should you ask before you Institute something like this? How can you make sure that you’re hiring a company that’s going to be on the up and up when it comes to sensitive handling, sensitive data like this?
Tim: Well, you’d have to think TrueDialogue were obviously pretty good at what they were doing. They’d have been projecting one thing and in the background, doing quite another.
Now here’s the problem. This is the instance where we, as a small businesses owner, we can’t think, “oh, just keep it running”. Of just telling your tech team, “Listen, we’ve got business to do. Just keep it running.”
That’s where shortcuts come in, and clearly the message from this TrueDialogue was, listen, the texts are going out every time that you need to send a text out to all 10,000 students. And that’s what it is.
Ruthy: What was it you said to me a few years ago when that big Target breach happened? “There’s never been a breach that happened when things were down.”
Tim: Yes, exactly.
We tend to think of it that way sometimes, don’t we? “Just keep it running and then we’ll deal with the rest of the stuff as it comes up.”
Well, that’s what they’re doing here, I guess, because by all accounts, from what I could tell from a quick look, these people have a zillion customers because they’re good at getting the texts out on time.
It all “works” the way that it should, even though it doesn’t.
So there’s always stuff behind the scenes that needs to be in place and we think it doesn’t have to be in place. We think of it sometimes as optional, which these guys clearly did. They thought, “Well that’s gonna take some time for us to set up, but right now we’re keeping all of our resources to make sure these texts get out”
If there’s a takeaway for us as a small business, that when the tech team wants to do some stuff behind the scenes, don’t say to them, “How will this help me sell one more insurance policy?” That’s not the issue.
There may have been a whole tech team in the background who’s been hammering on management to let them button this stuff down. And management said, “No, our mission is to get texts out.”
Tech Tip: How 3 businesses recovered from ransomware attacks (and prevented more from occurring)
Ruthy: We’re going to be moving on now to our segment of Tech Tip. And for this, Tim, I want you to kind of keep in mind of what we were just talking about in Tech News, how it’s important to know what’s going on in the back end of a company in order to keep a front end moving.
Keeping on about preventing or recovering from data breaches or ransomware, what have you seen with some of the companies that you’ve worked with, with Terrapin Networks, when one of your customers were attacked by ransomware, and how they recovered? Is this something that you see often with some of the companies that you work with?
Tim: Well, no. We actually had a little run of ransomware about three years ago with three different companies that we are the tech manager for.
All three companies had ransomware attacks within about three months of each other, something like that. And in all cases, all their data was encrypted on their servers.
One case, including their email. They came in one morning and went to open up a fileand a little thing popped up on the screen that said, “You’ve been hacked through ransomware. You need to send us this kind of Bitcoin. Here’s the link to go to and send us the money, and we’ll send you the encryption key.”
Now, in all three cases, no one had to pay anything. We were able to completely recover all the data through good backups.
As we’ve talked about in some other episodes coming out now, there’s a whole organization of open source people who are working on ways to decrypt and get decryption keys in the hands of people who have been attacked like this.
A quick reminder about ransomware. When you get hacked like this, what has happened is that a piece of malware has been allowed onto your server inadvertently. There are a number of ways you can get it. The most common way is an email comes in and it says something like, “Your UPS package is ready. Here’s the link to access” And you think, “Oh, UPS, I get UPS all the time. I’ll click this link.”
And when you click that link, it’s actually not a link to any kind of a UPS or FedEx. It’s a link to a piece of software that then quietly runs in the background of your device, gets on your network, lets itself spread around a bit, and then on a particular day or time, someone on the outside controlling it turns it on and encrypts all your files, which are held ransom.
The bad actor will say, “If you give me X amount of money, I will give you a key which will unencrypt all your files.” You can’t get to any of your Excel spreadsheets, can’t get your QuickBooks data, CRM data, whatever it might be. It’s all locked up.
And in almost every case, they do give you a key for your files.
Ruthy: Because they want the key to work.
Tim: They want that key to work. They don’t want the word getting out that it might not. They want it to work so when you pay the money, you might tell someone you had to, and that someone might pay more readily the next time if they are the ones who get hit. And so on and so on.
Now, the way around that, is we shut the server off from any more threats. And then we restore from a backup.
This is where good backups really come into play, and frequent backups, not twice a week.
Now, yes- we were able to completely restore everything. No one paid a dime to the ransom. But, let’s not overlook what happened; this was a colossal mess.
In all three cases, we were able to identify a single employee that had click a single link every single time.
That’s three times in our case! All three times.
One of the cases, for example, the owner said, “Well, let’s keep this quiet. She’s a good staff member. I don’t want to come down hard on her for just clicking a link”. And I actually counseled the opposite, which they, they did click the link, though.
To be honest, it’s really important that this person and everyone else knows what happened. You don’t have to hang them out to dry. But it’s important that everybody knows this, because the link clicking was inadvertent and not done with bad intent. And that’s the whole point.
Ruthy: So that’s what you would recommend for a company as their best source of prevention, is educating their staff.
Tim: Well, if you think about, again, I’ll refer to the William Kimball show that we did a couple of episodes back, who owns Cyber Defense TechnologiesAs well as one that we recently did with Scott Tabor from the Michigan Small Business Development Center.
Ruthy: That’s an upcoming episode, with Scott Taber.
Tim: Yes, in an upcoming episode. But in both episodes, they each said the same thing: people themselves are the largest source for these kinds of problems.
Ruthy: Can you tell me what one of these emails actually said?
Tim: In all three cases it was an email that came from someone that they thought they recognized, not generic, like it came from FedEx.
In all three cases, it was an email where the user surprised to receive it.
They weren’t thinking, “I have no idea who this is so I’m going to click this random link 5 times.” And don’t forget, these things tend to run silently in the background. So you’ll tend to click it and click it and click it, which means even if you have an antivirus that is trying to stop the first one, the second or third one can get through because the antivirus gets overwhelmed.
This is not the days of, you know, “I’m a Nigerian Prince, and you need to send me money.” People are educated enough to think, well, I, I always get email from Mary at AcmeWidgets.com, or I get stuff from FedEx from time to time.
Now, FedEx will never send you a link like that. They’ll send you a tracking number. But even then, you can tell if it comes from FedEx.
If you have any questions, just go out to the FedEx site and type in a tracking number. Don’t follow the link.
Ruthy: I want to know, you said these ransomware attacks all happened about three years ago, but you haven’t had anything since. Is that because of something that you instituted in these companies? Did you do something specific?
Tim: Well, we talked about it very openly with all of our customers without sharing anyone’s name or hanging in anyone out to dry. We just told everyone, “We’ve had three of these now and here’s what happened. Here’s what people did. And people just clicked on one of these links and here’s what it did.”
Now, in all cases, we had a spare tire in place. We had the backups in place. Just like, you know, the only time you need your spare tire is because you had a blow out on the highway. Just because you’re using your spare tire, that doesn’t mean you’re not kneeling down by the side of the road, probably in the rain, changing your tire. It’s a mess no matter what.
Tech Gadget: Can grayscale on your phone make you want to use it less?
Ruthy: For Tech Gadget of the Week, this is the segment where we like to highlight some of the more entertaining or interesting aspects of technology that have happened recently, or maybe an idea or something that you think that you should try.
I found this article on wired.com about using grayscale on your phone. This is a concept that’s been around for awhile in terms of saving battery, but this particular article looks at it from the stance of curbing phone addiction. I’ve been kind of trying it out. Have you tried this, Tim? Grayscale on your phone? It’s a little tricky to get set up sometimes.
Tim: No, I actually haven’t tried it yet. I’m aware of it. And I like to think my iron discipline makes it unnecessary, which is not at all true. I should try it.
What Ruthy’s talking about is, you put your phone into grayscale mode and it’s not quite so bright and shiny and colorful.
Ruthy: There’s no color.
Tim: It’s not colorful, and so it’s not as attractive. It becomes more of a tool like it’s supposed to be, and not something that you can just wile away an hour before you realize it, just floating around on Twitter or Instagram or Facebook or anything like that.
It’s a way for you to make you treat your phone more like a tool.
Ruthy has linked from Wired.com, and it walks you thought how to turn on grayscale for both Android and iPhone. Now, they don’t make it easy! You’ve got to click about six places.
Ruthy: I have an Android. It’s an S8 or something like that, so not super new. And it did, it took me a while of fiddling around with to figure out how to turn on grayscale, and I’m pretty comfortable with my phone.
One of the problems that I have is that at night, after my kids go to bed, I wind up wiling away two hours on the phone. But last night I put it in grayscale. And yeah, I got bored with my phone a lot faster than I normally do!
I’ve said this before, I love Instagram. And the thing with all those platforms is they use specific coloring in their buttons, in their scroll, and just their branding to get you to stay on it longer. That’s a known fact.
But I did find with grayscale that, yeah, I wasn’t as interested in my phone. I couldn’t see any photos so it was kind of boring.
Tim: When the next morning came around, did you have to turn grayscale off yourself?
Ruthy: I had to turn it off manually, yes.
But, there are two things that I wanted to mention about this concept. There’s a movement called gogray.today, which was kind about getting your life back and not being stuck to your phone all the time and just keeping it in grayscale always.
But there’s also an initiative coming in the new Android update called Digital Wellbeing. My hope is that update will bring the ability to schedule grayscale almost like a do not disturb. It would be great if I can use it during the day with color, when I’m actually using it for work. And then my entertainment stuff is set to grayscale, or maybe vice versa to kind of get me off Instagram at my lunch break.
Tim: By the way, this movement, which is bringing the minimalist movement to smartphones. Because this stuff is designed to keep your attention. Again, keep in mind why Instagram and Facebook and all these things are free. It’s because the people who put them out there make money by you using them because they can sell where you go for advertising dollars.
So the old statement is always true. If the product is free, all that means is that YOU are the product.
So these have been well designed to keep you scrolling, to keep you clicking, and especially on a mobile device, because that’s where most of the action is right now. They want to keep your eyeballs engaged. They want to keep your mind engaged, they want to keep you there. These are designed through psychology to encourage you to keep on scrolling and stay. You tell yourself you’re doing productive things, but then, you know, you really weren’t. And several things didn’t get done because you were just dinking around with your phone.
Ruthy: So I will report back in a couple of weeks. I’m going to keep it on grayscale for at least a few days and see if it cures my Instagram addiction. But so far, it’s easy to use. It definitely makes my phone more boring, which makes it into more of a tool. And my phone should be a tool, so I don’t distract myself in the evenings when I have other things to be doing!
Links:
Millions of SMS Messages Exposed in TrueDialoge Exposed Database
Episode 12: Preventing (and Surviving) Ransomware Attacks on Your Business
Episode 38: National Security Expert Says: “Before Paying for the Complex, Figure Out the Basics”
Try Grayscale Mode to Curb Your Phone Addiction
Timestamp:
3:42 Tech News: the TrueDialogue data weakness exposed
10:42 How small businesses can prevent from using a company that’s not secure with their data
14:03 Tech Tip: how 3 businesses dealt with a ransomware attack
15:23 How the companies recovered almost immediately
17:46 What caused every single attack, every single time
19:25 What the emails said in every attack
21:05 What Tim’s team did to prevent this from happening again