With thousands of “Not Secure” websites, the web is a candy store for cybercriminals. A “Not Secure” website is their Holy Grail. They are pushing against an open, unmanned door.
9 November 2021 (Brussels, Belgium) – The massive European electronics chain MediaMarkt is currently undergoing a … well, massive cyber attack. As a result of the hack, collection and returns are no longer possible. The cyber attack has been known to MediaMarkt since Monday morning, but it now appears the hackers have had access to MediaMarkt systems for some time and the damage is extensive. According to internal communications leaked to the press, computers that are in their retail shops can no longer be used because they are encrypted. The company has asked employees to remove internet cables from cash registers and not to reboot systems. This afternoon it was revealed that the hackers have asked for a $50 million ransom to be paid.
Clearly the MediaMarkt Risk policy has now been blown out of the water. Whoever was in charge of security, auditing, funding and risk is responsible for a reckless shambles – and that doesn’t even begin to cover this. Governance, responsibility and ownership were delegated, and the Board of Directors clearly abdicated its responsibility.
To understand what happened, let’s establish some elemental issues. And to do so I need to bring in one of my cybersecurity mavens, Andy Jenkinson.
Since 2018, as I have noted in numerous posts, Google, Mozilla, Fiirefox and other browsers, after several years debating, decided to make all websites that were not using the latest HTTPS (instead using the old, and insecure HTTP for their websites) display a “Not Secure” text in the address bar (as we see in the graphic above). So when we use our plethora of technology and tools, we can ascertain what configuration and use of the correct HTTPS is in effect, and every other element connected to that domain (website) and group of subdomains (websites) that hang off the homepage. As Andy explained to me:
It’s very important to understand that the security of a homepage does not flow down to make subdomains secure; however insecurity of subdomains can, and will flow upwards to make a homepage insecure. A website displaying “Not Secure” is the worst public display of security incompetence and negligence.
Having said that, when a website has a padlock, all it means is the digital certificate is valid confirming the website is who you think they are, not a spoof one (with matching certificates) the data has integrity, and data in flight is encrypted. IT DOES NOT confirm the other 90% of the website is configured correctly or has overall security.
So to the casual website visitor or executive, they assume a padlock gives them overall security and typically do not even notice the Not Secure text even when there. When you take a look at the MediaMarkt web site [graphic above] you will see it is “Not Secure” on every single browser because they have been negligent and never swapped HTTP to HTTPS from 2018 onward.
When a company continues to take $billions from their customers, and continue to ignore the security of every one of those customers, for years, they are not victims in any way, shape or form. They were security incompetent and negligent and deserve all they get and the leadership should be questioned. There is absolutely no excuse for such gross negligence. I discussed this at length with Andy. A few segments from that chat:
A chat with Andy Jenkinson
Andy has been one of my two “go to guys” for almost every cybersecurity issue or story I come across when I need the backstory, or I get bogged down on technical aspects (my other is Steve King).
Imagine for a moment that you are a cybercriminal. You’re actively looking for targets, the easier the target the better, from your place of work – using just your laptop and hacking tools, connected to the internet. You could be anywhere in the world.
ME: Andy, how do they work?
ANDY: These guys know what they are looking for, and by far, one of the best indicators for easy access, are “Not Secure” websites. A “Not Secure” homepage is the Holy Grail and confirms the organisation has limited-to-no-control over internet connected security. Nobody will even notice a hacker’s nefarious activity or actions. These guys are pushing against an open, unmanned door. They do not even need to go through all the subdomains. There it is, a “Not Secure” homepage right in front of you. It doesn’t matter that it has been “Not Secure” for three years plus. You have found it and you know just how to infiltrate it and gain access.
ME: So … jackpot. You’ve struck gold. An electronics company with $20 billion turnover, millions of customers and they, like thousands of other victims, have no idea of their insecure position.
ANDY: Exactly. Customers have been going on their “Not Secure”, compromised website in the millions, and for years, and nobody even noticed the “Not Secure” text in the address bar (or just ignored it) and even if they did, nobody addressed it.
ME: Then BOOM! The company announces a cyberattack, shock, horror, and “How on earth could this have happened??!!”
ANDY: Exactly. We are already getting leaks from the internal communications that say, in effect, “Our websites and servers were secure, weren’t they?” And the IT crew is coming back and saying “Well actually no, and they have not been for over three years”.
Look, that is the simple version, and we could talk about this until dawn. Let me sum up as follows, and just give you a few bullet points to share with your readers:
1. This is simply how many (most?) multi-$billion companies get hacked everyday. They are making unbelievable, and incorrect assumptions of their internet connectivity and security and getting caught out.
2. This single event will potentially cost hundreds of $millions to address and remediate.
3. Then there is a $1 billion GDPR fine already making the rounds.
4. And finally, any class actions taken by customers, who may, as a direct, or indirect result of this companies security negligence, be subsequently targeted and suffer digital identity theft with all that implies. This could happen because a couple of years ago they bought a toaster, a kettle or some other random electronic product from a $20 billion organisation that cared little about their own security, let alone the security of their customers.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
Andy just published a new book “Stuxnet to Sunburst: 20 Years of Digital Exploitation and Cyberwarfare“ which takes the reader on a journey from the terrorist attacks of 9/11 onwards and the massive insatiable appetite, focus and investment by the Five Eyes agencies, in particular the U.S., to build capability of digital eavesdropping and industrial espionage. With tens of trillions of dollars moving throughout hundreds of thousands of staff,and many contractors draining the country of intelligence and technical capability, the quest was simple and the outcome horrifying. No one in the world has connected the dots, until now.
From digital eavesdropping and manipulation of the agencies to Stuxnet, this book covers how the world’s first use of digital code and digital certificates for offensive purposes against the Iranians and their nuclear power facilities, caused collateral damage. Proceeding to today’s SolarWinds attack, code-named Sunburst, the same methods of exploitation and manipulation originally used by the agencies are now being used against companies and governments with devastating effects. The solarWinds breach has caused knock-on breaches to thousands of client companies including the U.S. government and is estimated to cost more than one trillion dollars. The monster has truly been turned against its creator and due to the lack of security and defence, breaches are occurring daily at an alarming rate. The U.S. and UK governments have little to no answer. Teh book also contains a chapter on breaches within the COVID-19 sector from research to immunisation and the devastating December 2020 breach of SolarWinds.
I highly recommend it.