Liquid Cargo/Protected Harbor
Kevin Richard Truck 2

Lesson learned: U.S. Container Depot, Liquid Cargo tighten IT security

Dec. 29, 2021
As cybercrime escalates post-COVID, recent NTTC chairman details his response to 2017 ransomware attack

Kevin Jackson was vacationing on the other side of the country when Liquid Cargo was hit with a ransomware attack in 2017.

The moment he realized he isn’t immune is seared into his memory.

It was close to midnight Friday, Feb. 17, to be exact, and the start of a holiday weekend before President’s Day the following Monday, meaning the now anxiety-filled Liquid Cargo and U.S. Container Depot president had little hope of resolving the situation quickly—or of fully enjoying his stay in California.

The entire ordeal disrupted Jackson’s West Palm Beach, Fla.-based bulk transportation and logistics operations for nearly two weeks, and cost him five bitcoins—at the time a nominal ransom, especially by today’s standards—to unlock the encrypted data, restore their systems, and return to “business as usual.”

It also changed the way he thinks about business in an internet-connected world.

“It made me realize that there were some serious shortcomings in our security measures,” Jackson recounted.

To address his companies’ now-glaring deficiencies in information technology support and security, Jackson turned to Richard Luna, who’s the chief executive officer of Protected Harbor—a full-service IT solutions provider with a tech-savvy team of software engineers and programmers who are dedicated to delivering unmatched stability and durability that turns technology back into a benefit, instead of an expensive distraction.

Through their collaboration, Protected Harbor also developed and debuted a new subsidiary, TMS Digital, which provides Jackson and others with fully mobile, fully protected transportation management software.

Now Jackson enjoys a peace of mind worth more than any ransom payment.

“I don’t worry about my technology anymore,” he said. “And that’s something that’s completely different.”

Lesson learned

The attack on Liquid Cargo originated in Nigeria.

Using a remote desktop protocol (RDP) connection on a decommissioned computer that hadn’t been properly disabled, and an old password, the hacker entered the company’s network, backdoored into its backup system, deleted all the backup files, encrypted the originals, and emailed Jackson about his predicament.

First, he contacted the FBI, whose agents didn’t tell him to pay the ransom, but said that likely was the only way he’d retrieve his information. At the time, Liquid Cargo contracted with an individual for IT support, but he couldn’t discern how to restore their systems, so Jackson reached out to gauge the hacker’s demands.

They wanted three bitcoins in exchange for an encryption key.

At the time, one bitcoin was worth less than $1,000—the digital currency’s value later skyrocketed, reaching $20,089 by Dec. 17, 2017—and Jackson figured $3,000 was a small price to avoid extended downtime. Still, he negotiated, and the hacker agreed to accept two bitcoins, so Jackson, who knew nothing of cryptocurrency at the time, spent the holiday weekend learning how to obtain bitcoins, which he finally did.

He transferred the bitcoins, received the password—then learned his information was double encrypted.

Again they wanted three bitcoins, and again Jackson tried to negotiate, but this time they refused. He had a harder time securing the coins the second time around, he said, but eventually succeeded, wired the money, and received the passcode, which unencrypted all Liquid Cargo’s data, and restored its systems.

“We were down for eight business days, but it was about a two-week period, when you count the holiday weekend,” Jackson said. “Now, we’re small, so it was easy to work off spreadsheets, but there was a lot of catching up, in terms of billing. I don’t believe we lost anything, as far as revenue or drivers, because we’re small, and it was easy to fill in pay in a timely manner, but it was devastating. And because we weren’t set up for it, it put us so far back.”

The first thing he did after he was back up and running was search for a new IT service and security vendor. Contacts introduced him to Luna, who deep dived into their systems, and informed Jackson “he needed a lot of help.”

His companies made the move to Protected Harbor’s platform in August 2018.

“Any change is difficult, but it was immediately clear how beneficial it is to work with a company vs. an individual who is focused on IT, and that was available 24-7,” Jackson said. “The everyday problems that we had are gone, and the security we’re getting from this is light years ahead of where we were previously.”

Escalating concern

Unfortunately, many trucking companies still are light years behind, and Jackson’s unpleasant experience isn’t unique.

“It’s a common exploit,” Luna said. “We’re working in the 1990s shared model, so if anyone in a 10-person office with shared drives clicks on the wrong thing and gets infected, now all of the documents are infected. And then, because it’s a flat model and one computer can talk to another, they all become infected, and there are no guard rails, no layers of protection, and the situation becomes a mess to clean up.”

And cybercrime has only escalated since the attack on Liquid Cargo.

This year, the average cybersecurity breach cost companies $4.2 million, with $1.07 million attributed to COVID-related remote work and companies accelerating their digital transformations, according to an IBM Security study conducted between May 2020 and March 2021. The same research pegged the transportation industry’s average breach at $3.75 million. That includes trucking, airlines, railroad, and delivery companies.

“Over the last year, technology sophistication, the proliferation of hacking techniques, and the expansion of hacking motivations due in part to COVID-19 and the enablement of the remote workforce have resulted in organizations having to review their security posture,” Joe Russo, IT director for Isaac Instruments, said during the transportation technology company’s virtual user conference held in November.

“It’s a matter of when—not if—you have a security incident.”

Luna said companies in the financial and medical sectors remain the most popular targets, but the transportation industry is right behind, and “there’s a lot more security in those environments than in transportation,” he said. Compounding the problem, largely due to deregulation, many trucking companies are small businesses with fewer protections.

According to a Verizon 2021 Data Breach Investigations Report (DBIR), small businesses—those with 1,000 employees or less—experienced 1,037 known incidents worldwide in 2020, compared to 819 for large businesses, and 263 data breaches (there were 27,351 incidents and 4,688 breaches among companies of unknown size).

“A lot of trucking companies are owned by people who drove years ago and then added trucks and moved into operating,” Jackson said. “And their experience is, I do it all myself. I fix my truck, I make the phone calls, and when they dispatched, it was faxes and paperwork. So it’s similar to what’s going on with the trucks.

“You used to take a truck to a mechanic to get it fixed. Now you have to take it to a service center, so they can plug it into a computer that diagnoses the problem. And you can’t just take it anywhere. You have to go somewhere with the proper software to diagnose that truck. Now, we understand that, because if you don’t take it to the right place, the truck won’t work. What we haven’t learned as an industry is the fax machine is now a computer and server—and you can’t fix them on your own.

“That’s one of the reasons why the trucking industry is so vulnerable. We haven’t recognized the significant change from filing cabinets, paperwork, fax machines, and DOS computers, to cloud-based systems, internet access, and everything’s digital.”

Remote servers also make DIY fixes more difficult, Luna said, as does the increasing speed and aggressiveness of cyberattacks. And poor or factory-default passwords and older hardware only make criminal intrusions easier—and the resulting downtime, and costly, pen-and-paper regression, increasingly likely.

Tightened security

Luna insists no one should spend weeks with compromised systems. When they do, it means too few safeguards were in place.

A problem solver by nature, and technologist by training, Luna dedicated his career to strengthening safeguards. The New Yorker spent three years in the early 1990s as CIO for U.S. News and World Report before leaving to start his own businesses. He built three commercial software packages, of which password-resetting tool Netmagic was most widely adopted, with “hundreds of thousands” of users, many in the World Trade Center before 9/11. He started Protected Harbor with a service-oriented mindset in 2008.

The company’s safety strategy demands full control. To ensure it, Luna discourages clients from using widely available commercial products, like Microsoft Office 365 email, or Zoom video conferencing, and Protected Harbor doesn’t share cloud-based servers.

“The biggest difference between us and other MSPs, or managed service providers, is that they’re reselling other people’s services, and we’re building everything we manage,” Luna said. “We own it, and it’s all dedicated. We’re engineers, so we don’t want to go to a third party. We want to control everything, so if there’s a problem we can fix it quickly.”

Protected Harbor hosts “clusters” of computers, with dedicated servers for individual clients. If one computer, or “node,” in the cluster fails, it shuts down, and the next one boots up. “Kevin’s dedicated server is ‘virtual,’ meaning he doesn’t have a physical box anymore,” Luna said. “So if somebody tries to attack it, the virus doesn’t understand where it is, because there’s no disc to go after, and there’s no CPU to attack.”

Algorithms powered by artificial intelligence monitor for threats, backups are isolated, and exploitable third-party software is eliminated. “(We don’t have) man-in-the-middle attacks, where there’s a tool the MSP has deployed to thousands of clients, hackers compromise the tool, and now they can attack through the tool.” Luna said.

“I believe in the cloud from a hosting viewpoint, but I don’t believe in the cloud from a vendor standpoint, meaning everything we utilize, from our phone system to our ticket and email systems, is hosted internally.”

Protected Harbor can detect and react to threats more rapidly by building its own systems. Phishing attacks, present in 36% of breaches last year, according to Verizon’s 2021 DBIR, remain most common, and Liquid Cargo is alerted within minutes of someone opening a suspicious email link. “That’s fast enough that we can be more proactive, because ransomware needs time to percolate, ferret out files, and figure out where everything is,” Luna said. “Because we’re able to respond quickly, we eliminate their oxygen.”

Their application outage avoidance (AOA) goes beyond standard IT monitoring, which Luna says looks for low disc space and memory issues, to build a “protective bubble” based on how cyberattacks actually occur. Security strategies include geo-blocking, which prevents logins from places a company doesn’t have employees—like Nigeria, in Liquid Cargo’s case—and monitoring domain names that are similar to clients’ websites to prevent hackers from using them to trick their customers into divulging sensitive data.

Best of all, Jackson says, his data belongs only to him.

“It’s on their servers, but it’s my information, and they don’t have a right to use it,” Jackson said. “Whereas with some of their competitors that offer technology services related to the trucking industry, you can use them, but they also have a right to use your information however they choose. And so there’s some fear in the fact that they know where you are at all times, and can sell that information to anyone.”

Protected TMS

TMS Digital, a subsidiary of Protected Harbor, is the product of Luna’s collaborative approach to assisting clients.

While delving into Liquid Cargo’s systems post-attack, he realized their transportation management software (TMS) was exposing them, largely due to the providers’ inability to adapt to mobile workflows. So he bought the company, reworked its software, and last year introduced new TMS with Protected Harbor-level security.

TMS Digital solutions include dispatching, ticketing, and international fuel tax agreement (IFTA) reporting, all of which is boosted by “automated grooming” that keeps associated databases up and running in “perfect condition.” The company also now is rolling out digital document capturing dubbed TMS Trucker that eventually will link to their dispatch software, allowing drivers to update delivery status in real time.

“We have a vision for what we want to do, but we’re not technologists,” Jackson said. “They are. So we’re able to sit down and say, ‘Here’s what we want,’ and that’s actually what the TMS Trucker came out of. It was different trucking companies sitting down with them and saying, ‘This is what would be really helpful.’”

Custom support

Help from Protected Harbor begins with a TIP, or technology improvement plan.

TIP audits paint a clear picture of the problem with interviews, equipment assessments, event-log reviews, and an IT security score that enables Luna’s team to customize a platform for real-world needs that doesn’t require major changes in operational behavior. Then they implement solutions at the client’s convenience.

“The way to get technology accepted by people who don’t appreciate it is to make it more accessible,” Luna said. “And that means making as few changes as possible.”

Sometimes the plan requires “an audible.” Liquid Cargo’s score was a nine out of 100, and its systems were “glacial,” so the migration to Protected Harbor’s platform would have taken longer than expected, leading Luna to “rip off the band-aid” by taking their servers to his office, and extracting the data directly.

“It was ugly,” Jackson acknowledged. “It really was, to the point where, it was hard to believe it was that ugly.

“But having now seen what we had, vs. what we have now, I do believe it.”

The process typically takes from 12 hours to a week. Full-service monitoring includes system maintenance and unlimited support for a flat fee based on employee count. “Sometimes I get emails I’m not sure of, so I’ll send them over and ask, ‘Is this safe to open?’” Jackson said. “We work with the international community on the container side, so I regularly get emails from other countries that may be suspicious, and they’ll review them in a safe environment and tell me, ‘Yes, it’s OK to open’ or ‘No it’s not.’”

Inaction is inane

Trucking companies frequently relegate IT protection to the back burner.

They’re running hard to meet post-COVID demand, so, despite the growing risk, rationalize delays, figuring, “Why fix it now, if they haven’t broken in yet?”

That’s a potentially expensive way of thinking.

Jackson was fortunate. He ended up profiting off his new cryptocurrency knowledge. Only two years later, J&M Tank Lines wasn’t as lucky. They avoided paying a bitcoin ransom worth $350,000, stemming from an April 9, 2019, ransomware attack, which included a “trojan-horse” assault 60 days later, but still spent nearly that much money to regain control of their network, and lost countless hours of productivity.

“The costs are going through the roof, and insurance providers now are pulling their ransomware addendums,” Luna said.

That’s why Jackson says tank truckers can’t afford to ignore the issue any longer.

“I put it off for a long time because I thought ‘We’re a small company, no one’s coming after us,’” he said. “Why would they do that? And things were aggressive in 2017, but they weren’t anywhere near as aggressive as they are now, and we still got hit.”

So whether it’s with Luna’s company, another cybersecurity or IT service provider, or a simpler solution—act today. Update firewalls and employee rosters, enable two-factor authentication, and for the love of all devs, disconnect the backups.

“In the tank truck industry, we’re at risk every day we’re on the road,” Jackson said. “So the idea is, we want to keep our risks to a minimum, and this is one everybody can take off their plate.

“They don’t even need to devote a lot of time to it.”