Hackers show no mercy—even for pot dispensaries

Anatomy of a national point-of-sale breach and takedown of 1,000-plus marijuana dispensaries


Back when Apple was the plucky young upstart that dared to be different, the Mac was the machine for creative types and there was a perception that it wasn’t a target for hackers because of its cultural cool factor.

You would expect the same rules to apply to the legalized marijuana market, but a major hack attack on a pot dispensary last month set that notion up in smoke.

MJ Freeway, providers of popular medical marijuana tracking software, suffered a point-of-sale system hack that left over 1,000 marijuana dispensaries unable to track their sales and inventories. Because of the state regulations regarding the sale of marijuana, some dispensaries were forced to close early or shut their doors completely. The disruption lasted weeks and caused patients to suffer long delays with obtaining access to their medicine.

Closer inspection reveals this was a well-coordinated cyber attack that was intended to take the system down.

Picking targets

Probably the real reason Macs weren’t targeted so much in the past was a combination of low user numbers and Apple’s smart approach to security. Nowadays the firm’s devices are so popular with a wealthy customer base that they’re increasingly becoming a target.

The cannabis industry has also been soaring in the last few years, and so perhaps it should come as no surprise that it has become a target, too.

This recent attack on MJ Freeway was aimed at corrupting files and data, rather than stealing them. The company insists no client data was stolen. In a Q&A with mg retailer, a spokesperson claims all medical cannabis patient and business data was encrypted and that there’s no evidence it was compromised. The intention apparently was to disrupt the system, but the motive is unclear.

How did the attack work?

The attack simultaneously targeted the live, production and backup servers at MJ Freeway. Despite having redundancies built in with multiple backups on multiple servers with a variety of companies in different locations, the attackers were able to hit everything in a short period of time.

This is partly because the company was unaware it was being attacked for the first few hours. Once the problem was discovered, MJ Freeway began restoring service for clients within 24 hours.

It’s vital to have a data recovery plan, but this attack also highlights the importance of having strong real-time security to uncover breaches so that you can take action before it’s too late. Once cyber attackers gain access to your system, it’s relatively easy for them to dig deeper and spread laterally.

Prospects for recovery

Customers that maintained a separate data backup have been able to get up and running again with minimal disruption, but others have lost records permanently. The traceability system, which tracks the chain of custody for complete transparency from “seed-to-sale” was corrupted, and it seems much of the data may be unrecoverable.

This is obviously a disaster for MJ Freeway. Despite working hard to restore service, some customers have already jumped ship, which is the inevitable consequence of any security incident like this.

The costs of data recovery and improving security, along with compensation and reputational damage, could be high. The true cost of a data breach only becomes clear over time.

Lessons to be learned

Many small and mid-sized businesses nowadays rely on cloud-based services like this from third-party providers. By 2020, 78 percent of small businesses will be fully adapted to the cloud, according to Intuit. There’s a big lesson to be learned here: Always maintain your own regular backups.

All the MJ Freeway customers that had an uncorrupted backup that they maintained themselves were able to restore service quickly. It was also easier for them to switch providers with minimal disruption to their clients. That said, whether the client had their own data backups had no bearing on how quickly they had access to an operational MJ Freeway site.

Any business that’s going to put its trust and data in the hands of a third party really must research that company thoroughly.

MJ Freeway has migrated its clients’ sites to a more secure environment, but the real question is: Why did it take an attack like this for them to improve their security? Whatever the cost of this breach ends up being for MJ Freeway, you can be sure it would have been a lot cheaper to implement proper security in the first place.

But that’s always easier said than done.


This article was originally posted on NetworkWorld >

10 Things I know about… Security Precautions

10) Change your password.

If you’ve been using the same password for a long time, then it’s time to change it. You should not only change your passwords regularly but not use the same one for every app or website. Try to use more than 13 characters.

9) Turn off wireless connections.

When you aren’t actively using your Wi-Fi, bluetooth or other wireless connections, you should turn them off to safeguard your privacy.

8) Check privacy settings.

Using apps and services on the default settings often exposes you to unnecessary risks. Dig into those settings and make sure that you aren’t sharing any data unnecessarily.

7) Opt-out of sharing data.

Advertisers are thirsty for your data because it is valuable to them, but sharing unreservedly does little for you. Opt-out of sharing data wherever you can. You don’t know who has access.

6) Keep your web browsing private.

Take advantage of private web browsing modes, such as Chrome’s Incognito mode, and delete your browsing history, cookies and cache regularly to prevent anyone snooping.

5) Remove third-party social media plug-ins.

It may be quick and convenient to log in to a new app or service with your Facebook account, but you might be sharing more than you realize. Don’t grant third-parties access to your social media sites.

4) Turn off geotagging and geolocation services.

When you aren’t using a device to navigate, there’s no need to have location tracking turned on. You should turn off the automatic geotagging of photos.

3) Use credit cards, not debit cards.

You enjoy an extra layer of protection with credit cards, making it easier to claim money back if something goes wrong with a purchase you made. Don’t use debit cards online.

2) Only shop online at trusted websites.

It’s very easy to get a browser extension that will only permit access to secure HTTPS websites.

1) Act quickly if you suspect cybercrime.

If you think you’ve fallen victim to cybercriminals, you need to take action quickly. Call one of the three major credit bureaus and place a fraud alert to make life harder for criminals and identity thieves.


This article was originally posted on Worcester Business Journal >

6 Ways to Launch a Targeted Cyberattack

What you need to know to defend against targeted attacks.

The threat of a targeted attack for any business is real and substantial. It’s vital to ensure that your organization can identify constantly evolving threats, find abnormal and suspicious activity, and take effective action to keep your data safe.

Consider that, on average, attackers are in a network for more than 140 days before they’re detected, and 60% of network intrusions are eventually traced back to credentials, according to according to Microsoft.

Most successful targeted attacks follow six steps or stages, though it’s important to remember that these steps often run in parallel. Multifaceted attacks are common, so a robust threat response plan should address all six steps and avoid jumping to conclusions.

It’s not just about implementing the latest safeguards and software tools; awareness is paramount if you want to keep your data safe. After all, cybersecurity is only as strong as your weakest link — your employees.

Gathering intelligence

Every attack begins with a reconnaissance mission where attackers gather data about their target, but this step continues throughout the life cycle of a targeted attack. The more data attackers can find about how your network operates or where the weak spots are, the more likely it is that they’ll pull off a successful attack. A lot of that data can only be accessed within company networks, so intelligence gathering continues well beyond the initial penetration.

Finding or creating entry points

Spear phishing emails are still disturbingly effective. Amazingly, 30% of them still get opened, according to Verizon research. A range of different employees may be targeted to help attackers create a complete picture of the network.

Watering hole attacks, where a frequently visited website for the target organization is compromised to gain entry to the target network, are also growing in popularity. Once in, attackers add backdoors to systems wherever they can, creating more and more possible entry points in case older routes are discovered and closed off.

Command and control

For a targeted attack to be effective, the attackers need to be able to take control of compromised computers and other devices and make them speak to each other. This communication creates a certain amount of noise.

Attackers go to great lengths to hide C&C traffic, often creating internal servers that can be exploited through backdoors and then used to compromise and control other machines on the target network.

Lateral movement

Too many security systems focus on building a wall designed to keep attackers out. It may be difficult to gain access to a specific system, but once inside one system, it is often a much simpler prospect for attackers to spread laterally and gain access to more.

Sometimes they can even use legitimate system administration tools to hide their activity, grant more privileges to compromised accounts and devices, and gather more intelligence on how to perpetuate and spread the attack.

Maintaining the attack

Targeted attacks are not about smashing and grabbing. They are often sustained infiltrations designed to remain in place undetected for months or even years.

As long as there is valuable data to be exfiltrated, it’s in the interests of the attacker to keep the attack operational. That means spreading control, identifying and creating new points of entry, and possibly even patching vulnerabilities to ensure that other attackers can no longer gain entry the same way they did.

Exfiltrating data

At the end of the day it’s all about data exfiltration. This is usually the entire point of the attack, but it’s also one of the riskiest steps. Extracting data is virtually impossible to do without creating noticeable network traffic that could expose the attack. Stolen data may be hidden elsewhere in the target network for later extraction, as attackers build a big enough stash to make the risk of discovery worthwhile, or they find a way to hide the network traffic.

It’s sensible and worthwhile to build secure defenses from the wider internet, but organizations must also scrutinize internal traffic and systems. It is only by continually monitoring, analyzing and testing your security that you have any chance of uncovering and foiling targeted attacks. Understanding how attackers think can help you plan a solid defense and create a response plan that will work.