Why Ontario Municipalities fall victim to Ransomware, and why Cambridge could be next

By  | February 16, 2019 | 0 Comments | Filed under: Politics

Why Ontario Municipalities Fall Victim to Ransomware

Ransomware is a solved problem. We know how to minimize the effect of a ransomware attack on our infrastructure. It’s actually a combination of several fundamental security‍ techniques like compartmentalization, access control, and recovery. If lateral movement is properly contained in your network, you’ll only ever have to worry about a workstation being affected. At the very worst, a proper backup regimen would suffice as a failsafe.

So why did we see both Midland and Wasaga Beach fall victim in the closing half of 2018? Derek Bowers, CITO, Wasaga Beach, said it best, “we were behind the curve”. He was referring to the fact that the city had been planning to segment their network, which would have properly protected their backup system. Segmentation has been around for a long time, I recall learning how to do it effectively back in 2005. Instead, both paid the ransom and indicated to criminals that Municipalities make easy targets and are willing to pay.

So are Midland and Wasaga the exception? Experience in the industry tells me no. This is the norm, and I’ll prove it. Let’s take a look at my own municipality, The City of Cambridge.

In 2015 I attempted to pay a parking ticket online. Oh their site is HTTPS‍! Awesome right?

I was going though a phase though where I wasn’t trusting that HTTPS was actually configured properly. So using the industry standard Qualy’s test, my jaw dropped.

At the time, SSL3 had a major year old vulnerability and it had become industry wide accepted that it was no longer to be considered secure. This vulnerability would allow an attacker to steal your credit card information if they are on the same network while you pay a parking ticket. This issue is usually caused by using legacy systems that can’t be updated, or are too expensive to do so. It can be properly mitigated using a low cost server or virtual server running a reverse proxy like NGINX to terminate user connections with modern TLS and keep the insecure segment INSIDE your protected network. (1-2 hours work to be honest.)

Instead of paying the ticket online, I decided it best to go to City Hall and report it. After paying the ticket I asked the counter person if I could briefly speak with someone regarding a serious flaw in their website security. I was told to leave my number with her and she’d have someone call me. I’m still waiting. I tried again in 2016, called them in 2017.

In April of 2018 I spoke with a fellow named George Georgiadis who identified himself as being responsible for security issues on the City infrastructure. I briefly explained my concerns and he said he was very interested in making sure that security concerns are taken care of. He escalated to manager of communications Shawn Falcao, whom was also saying how much he appreciated my concerns, and escalated this to ‘his guy in apps’. This individual took notes on my disclosure and said that they would look into it and that if there was any merit they would fix it. I offered to write a report to help them understand the severity, as the fellow had zero experience with PCI-DSS or even what TLS was but in the end his assurance that he understood and would look into it was enough. I never heard back. It didn’t get fixed.




Leave a Reply

Your email address will not be published. Required fields are marked *