Secure With Celerity Episode 17
DAVID TAYLOR [00:00:08] Hello. It’s Friday, which means it’s time for another episode of Secure Celerity. I’m your host David Taylor and to help me discuss the week’s top cyber security stories is the Sean Bean of the cyber security industry. I’m now calling him Joshua Read. How you doing Josh?
JOSHUA READ [00:00:22] I’m alright. How you doing?
DAVID TAYLOR [00:00:25] Not too bad. Ready to kick off the week stories and. Yeah, let’s crack on with the first one. So this headline of the week we’re going to discuss is corporate VPNs are in danger as phishing attacks are targeting homeworkers.
JOSHUA READ [00:00:42] It doesn’t surprise me. Honest to God. There’s been numerous reports that I’ve read over the past couple of weeks, and there’s obviously clear evidence over the past few months based on the Twitter attack breach. That vishing is on the comeback, really. Experts have warned that vicious attacks are set to rise. And after the success of the Twitter breach, I’m not surprised. I think interesting they the method of the attack os the most interesting element of this. It’s probably the most human element of a cyber attack in addition. Those who don’t know vishing essentially is voice phishing. So it’s using methods such as phone calls. Physical conversations to do, basically, to force you, to do something that you don’t really know is bad intention you know, I mean, so an example of this would be for me to convince you in person via over the phone or something to lend me a fiver and I’ll say, Yeah, I’ll get back to tomorrow. Double. It was a very vague and it’s not you know, it’s very basic version of vishing. But, you know, I don’t have any intention of giving that fiver back, so. And you don’t know that. But, you know, that is technically vishing. It’s a very basic example of it. My vishing is probably more commonly associated with the the B2C tech support scams, which everyone’s grandma has received over the last decade. You know, your aunt was on the fritz and needs mending. Send me 100 hundred pounds and I’ll fix it for you. Obviously, they don’t fix it usually nine times out of ten, they do it a team through a session and install a Trojan on the PC or something like that. It’s an interesting but a very old and often unsuccessful tactic when it’s compared to show the world the phishing. So, I mean, in this scenario. It was, you know, to say, let’s take Twitter, for instance, so that they reportedly had fake vishing emails or vishing scams associated with the phishing emails that’s how they managed to circumvent the two factor authentication. So in that scenario, apparently they you know, they were in open contact with the attackers. And they were opposing as part and they were helping them basically get the employees were providing them with information to get through the two factor authentication. Oh, yeah, it comes as no surprise that VPN is being targeted, especially with the current climate. Everyone’s working from home still and VPN is still in the key of everyone’s interests, whether it’s organisations CCO, they want to secure, they work fast, make sure that they’re working securely. A lot of people have enabled multi-factor authentication on their own VPN clients. And essentially what I envisit happening with this is as multi-factor, an occasion becomes more and more popular. These coppling of phishing on vishing in the same attack will become more and more common because phishing alone isn’t good enough to circumvent the multi-factor authentication, because quite often the code that you’re supplied is only available for 30 seconds and then it expires. So what we’re talking about here really is a multitude of attacks mixed into one in order to help them get through multi-factor authentication protections. It’s a scary thought to think that multi-factor authentication, which is heralded as some sort of, you know, be all and end all account compromises, can be so easily circumvented by vishing but, yeah. It’s a serious threat. I mean, I think someone give detail unofficially about the Twitter hack and they just basically delivered a one two punch with one attacker calling the victim and We’re not sharing what the low was. Probably something around, we’re seeing problems on your account. Can you log in? So and then bust. They were providing the the victim is providing the credentials. Those another attacker basically put it in the stolen usernames password and the two factor authentication pins. And on the fake pages know it looks like it worked as twitter got done in pretty bad.
DAVID TAYLOR [00:06:13] You know, we say vishing alone isn’t particularly that effective. But I imagine, plus the whole social engineering is like giving a bit of urgency to it and kind of putting someone on the spot. I think if you send someone email, they can go again, I’m not interested at all, it looks a bit dodgy. But someone’s agreed on the phone by put it on the back foot. So, you know, I have other stuff going on, especially if you’re working from home as well. If you’ve got little kids running around and just have that sort of is this added pressure that’s probably gonna force people into maybe doing something that they might not have like there, and don’t want to do that a bit more clarity and a bit more kind of thing.
JOSHUA READ [00:06:54] Yeah. I understand it. If the sort of thing are often believes the communication is portrayed in a different light when it’s put across an email or a text or, you know, a message or anything like that when it’s talking face to face or even like a conversation we’re having now, the personalities, the emotions, everything is completely different. And there’s almost an element of not trust but there’s an increased element of trust there. Then as there would be if you were sending a message, because you can put a name to a voice or even a face in certain circumstances. And, you know, and that’s what the scary element here is. I think too often phishing gets brushed under the carpet and maybe pushed aside because they don’t see as a threat. It’s not commonly used. It’s not really effective. But that’s where they’re wrong, because as we’ve said, as you said, kind of so far, you know, the biggest hot kind of social media pop harm was performed by three teenage kids who basically used phishing and vishing tactics to circumvent twitchers, multi-factor authentication methods, which is massive. That’s the law. You know, if you if you can bypass multi-factor authentication quite oftenly. The security behind that multi-factor authentication is reduced because they view that multi-factor authentication as the be all and end all of the account compromised. So they don’t they don’t worry the need for additional security behind that multi-factor authentication page, if you know what I mean. And it’s a danger. It is very, very dangerous. And there’s only one real way of helping remediate, and that’s through education and talking about it. And this is what needs to happen in organisations. They need to understand that, you know, these vishing attacks, they are present and they are effective. And people need to understand, you know, what information they’re providing over a phone call, what information that they given to would none entities and what could that how beneficial could that be in the wrong hands, if you know I mean.
DAVID TAYLOR [00:09:13] I think we’ve covered stories before, we won’t go into it. And we’ve definitely covered stories before where people use, like deepfakes to sort impersonate CEO, CFO and then get them to make payments, you know, just other layer of can you 200,000 to this supply of any pain today? They may question it and then they get a call from said CEO or director. He wants it made. And then it’s just that extra layer of like, oh yeah, this is legit. We need to do it. But there’s one and this is little bit different. But one video that’s always stuck in my memory that I saw online of things on YouTube. There was this lady who she was ringing up, it’s in America. She was ringing up like a mobile phone network, and she pretended that she needed wanted to change the password on his husband’s account. But what she also had and what she kind of forced the president to help her out, she had like a YouTube video of like a baby crying. So then she had the baby crying in the background. And then she was like, oh, sorry, the baby, like, you know, just create that kind of hectic. I was a bit busy. And in the end, she actually managed to wrangle out the password of her husband’s, I guess, the equivalent of like a vodafone account and then much to get in that way. And I know that’s not quite hacking into a business but it definitely shows what kind of shows what you can do with just a little bit of social engineering tactics. The agency that’s going to get you in there?
JOSHUA READ [00:10:32] Yeah, definitely. And, you know, those types of tactics are most likely gonna be used, whether it’s a baby crying in the background, whether it’s I don’t know, the actual person on the phone sounding very, very upset. You know, it’s dependent on the scenario and what the hacking works on the same premise. It’s playing on the flaws of human personality and human behaviour, which is exactly what social engineering is.
DAVID TAYLOR [00:10:58] Yeah, definitely, I mean, I think vishings is only going to keep on going on from the looks of things socially. So whould we move to our next story of the week. So this one, that headline being that almost 235 million YouTube, TikTok, Instagram profiles were exposed on an unsecured database. So this is basically companies scrape the Internet, social media platforms where people have openly public information that people might not know about. And it essentially is all stitched together to create profiles of me or Josh, out on the Internet. But what happens when you have those and someone is actually just left it on the Internet.
JOSHUA READ [00:11:42] Another week and another insecure database online. So there’s key researcher found a database that found the database and there was all sorts in it likely to belong to social, the now social. There is an information, there is information that social media uses publicly share so technically, this information is publicly available to attackers, but even congregate in one small area and not spot the problem element here is, is these concrete, this company was collecting this social media data, so you might like to use a name, what your interests are, what your political agendas are, and what congegrated have build in almost an online profile without your consent. Now they are able to do that because it’s publicly available information and they are just taking what’s available on the web. Which begs a bigger issue into people not understanding what the impacts are of their own digital privacy. It’s something I feel rarely passionate about. And you know, the content to company tech. The data contained names, contact information, personal information, images, statistics and even, you know, put political agenda stuff. So it’s to fit their interests in terms of politics, which obviously Cambridge Analytica has to fight about. That was a big hoo ha a couple years ago. You know, it begs the question, you know, what information is available out there about any one individual. Now, if you don’t put the security conditions on your Facebook, on your Twitter or anything like that, anything that’s public, you’re essentially anything you put on those platforms is available to anyone who wants to look for it. You know, you’ve seen it countless times with celebrities who have been basically the console culture, basically coming forward and finding all tweets from individuals, celebrities that are either racist, homophobic, et cetera, et cetera. Now, the celebrity might even be aware or remember that they tweeted that, but all of a sudden it becomes to the forefront and it works in the same way. Is that information is available on a public platform. So, you know, anyone can find it if they’ve got the desire to find it. They will go and find it. But as I said before, this highlights really how unaware individuals are about how what they post online, the information that they can provide to the Internet. Some people feel very comfortable. I know a lot of people who aren’t bothered about what information is on about about them online. I personally don’t like the idea that, you know, there could be a profile of me some time. Everyone, you know, who I voted for in the last general election and what my, you know, interests are, what I like. You know, I would go above and beyond to make sure that was the you know, I wasn’t seeing that on the Internet. But, you know, if they’re gonna be collecting this information, I can’t say one area you would have thought they would put decent security in place to make sure that this wasn’t as easy to literally walk in, pick it up and take it out and just say, yeah, I’ll just take this notion. This will be helpful in the 2021 elections.
DAVID TAYLOR [00:15:27] Yeah, definitely. Well, I think one bit I kind of noticed is in the article, it says it’s not, you know, it’s not you can just get this information publicly online. But apparently the simple act of scraping and matching public data that isn’t actually allowed to go into details about what the legal implications are involved. But it seems like, yes, it’s out there, but the very fact of scraping and put it together is amazing. So I don’t know yet. It sounds like they’re washing their hands and say, hey, it’s nothing to do with us but it kinda does.
DAVID TAYLOR [00:18:31] You know, it was when GDPR came in. That’s what. Then you will stop talking to the fact now is can’t go to website without popping up. It’s just it’s almost just like the old days where we used to getting ads that pop up, you just click it. Close it and accept and it close. And so people don’t, I found some pages don’t actually allow you browse the page unless you click accept the cookies, which I think is like, really annoying. The whole point is like yesterday, you can opt into it. But you’re going to really stop someone going on the page…
JOSHUA READ [00:19:03] I think the main thing I’m trying to get across here is that.
JOSHUA READ [00:19:06] People need to be aware about what they post online. That is brutal one on one of rule number one. So we have cyber security. Just be aware of what you post online, because you are basically you’re basically advertising yourself with your interests on the Internet. Now, the best way I put it is view your information as having monetary value, because technically those companies will take your information and sell it on because that’s how they make their money. That’s how they’re making that record when it’s how to generate revenue on their website. So if you know, if you’re willingly giving up something for free and then someone else is making money off it, it doesn’t sell very well with a lot of people. And that’s obviously a marketing teams. And people around the world probably hate me right now for saying that but that’s the bottom line. And this information. You know, I see far too often as people, you know, suspect information or stuff that you shouldn’t really be sharing to the public on social media platforms, and you think. Do you not understand that? That’s a public post and anyone can share that and people anyone can see, you know, pictures of your children, people, you know, even stuff like that. Anything can be used in the wrong situation and just understanding that information is really valuable to anyone.
DAVID TAYLOR [00:20:38] Yeah, I think, you know, going back to you talk about marketing teams and, you know, I work in marketing ad sales and we do need to collect some data. And the one thing I learnt quite recently was that within sort of Google ads, you can do. You can actually target people in within that gmail based on what emails they’ve received. So, you know, if you work for a clothing company and when your competitors, you know, someone’s received an email, it says your order has the competitors name. You can actually target that person. So Google is technically reading your emails and analysing that and saying, hey, you want to advertise that someone who’s just bought a bike or who’s buying clothes and allow you that opportunity, which is crazy, absolutely crazy. It just highlights how much information is going in and where it’s going to. Right. I think we should go on our next story because we’ve been trundling along the last two stories. So this story is that North Korean hackers have pawned cryptocurrency sysadmin with a GDPR themed LinkedIn lure, which we’ve seen LinkedIn Lewis before. But this is a lasmas group. A.K.A, APT 38 and basically sending initial malware infected file attachments that’s linkedIn message, which was in Beijing, the sysadmin message recipient opening for details of an exciting new job. Which in this climate, people might be looking for.
JOSHUA READ [00:22:01] It’s just classic document. A classic macro enabled document enable content. It runs a script in the background, talks to a seat to sever, pulls down secondary malware. That’s a Trojan that’s stealing day, etc., etc., It’s not pleasant. It’s quite interesting how they use it LinkedIn to push these now. It’s a very effective way of doing it because people see this LinkedIn as a safe haven for business, really professionalism. And it’s you know, that if you receive a document, you’re like, oh, everyone knows if you receive a document from an unknown sender on an email and you don’t open it, you just delete it. But if you receive a little known document from an unknown sender, the unlink LinkedIn yourself, I wonder what this i? Trying to tell me something. They’re trying to get a job, it’s interesting tactic from the group. I mean, they know that they’re known for targeting financial institutions in order to siphon money back out into North Korea, whose economy has been stagnant for a very long time. But thanks to the West, you know the likes of the US and people like that. So it’s yeah, you know, let’s switch group that quite a well established group that were behind the Sony Pictures hack who also stole 81 million dollars from a Bangladeshi bank. And more recently, they’ve been targeted in casinos and software developers working in financial companies. And then last year, they were developing in memory malware from Mac OS. Which is quite a big thing as well. So they’re quite an active group and they almost operate without police, if you know what I mean because they’re almost state owned. So, yeah, it expands. But my advice to the viewer was just if some things look suspect, don’t open it yet. If it’s meant to be opened, it will be obvious. It’s if you get a suspect for you anyway, take to your I.T. friend or your I.T. department, security friend, your security department in your organisation. People will be understanding if you find something suspicious, they won’t be too happy if you, infect the whole network. And that’s the best analogy I can give you. To be safe than sorry. Basically.
DAVID TAYLOR [00:24:45] I think I mean, I could be wrong. Want to say this, but I’m pretty sure going to. And you don’t need to be vetted, you know, to say you work at a company like your company doesn’t have power to say, no, this person doesn’t work. So you’re getting an email, get a message from someone who they call must be legit because you click that link, it takes you to a company. Not always the case. I mean, this is the first time I’ve seen LinkedIn being used for phishing… Back in June, there’s a story about hackers posed as recruiters working for US and defence companies. They were trying to break in to networks of European military contractors and again, sent a malicious attack. Anyone who’s on LinkedIn, those people will be just that dubious of any coming through. Right onto our final story of the week. So New Zealand Stock Exchange was halted by a DDoS attack for two days. And maybe this might show my ignorance, but I had no idea that New Zealand Stock Exchange.
JOSHUA READ [00:25:49] That’s better. Yeah, cozy bear did, Cozy bear group did, on Tuesday afternoon, the stock exchange said it had been hit with a volumetric DDoS attack from offshore fire network service provider, which impacted the network connectivity and said expected the market to open the following day on Wednesday, but it decided to hold it further and wait. However, NZ actually still down this moment in time, and they’ve released a statement this morning saying this decision not to reopen has been made while we focus on addressing the situation, instead, we continue to address the threat and work with cyber security experts and we are doing everything we can to resume normal trading tomorrow. So hopefully the market trading tomorrow, but it goes to show the effectiveness of de DDoS attacks. What I found most interesting here is back in November, actually, Air NZ, which is the New Zealand Cyber Security Organisation, they basically put out an advisory saying basically that notice for the Asia alert stating that the financial sector will be targeted in blackmail campaigns. So back in November, they basically found there were some emails that were reported that originated from the Russian hack group Fancy Bear, which is more commonly known as Cozy Bear, which demanded ransom to avoid denial of service attacks, which is it’s an odd way of doing it. And a prooved to be quite well, It’s not confirmed whether the Kozy Bear were behind this DDosS attach at this moment of time. In those examples, there was an email sent to the company basically saying that the company, you know, we are the Fancy Bear and we have chosen your company with the company name as a target for our next day DDoS attack. The email gives a deadline. So they must do pay ransom within a deadline. Otherwise they’re going to suffer a major denial of service attack, which will occur, demanding a ransom to prevent it. And then the phase two, I found this interesting. So they actually to make the more campaign more believable. They will give demonstration of a denial of service attack on one on a smaller platform that they own. So they would basically, you know, only do a DDoS attack in 30 minutes and tease them and say, look, we can do it. We’re gonna carry on if you don’t pay his ransom, which I thought was quite effective. But they didn’t prove to be so threatening and actually follow through with threats and until now. But it’s still unconfirmed whether it’s Cozy Bear is behind this attack on the New Zealand Stock Exchange. One thing that has actually come to fruition is the need for DDoS protection, especially on critical infrastructure such as financial institutions. You know, they are still financial institutes. They can be argued that the part of the nation’s infrastructure. You know, if the finance industry falls. They’ve got no money to spend, that everything just shuts down because everything runs on money. And countless the DDoS protections, I mean, how many times have we covered stories this month, this year, where it’s like, you know, AWS shield on Cloudflare of if not the largest DDoS attack. That was like 2.71 terabites says something like that. You know, this was smaller than not. And they didn’t have DDoS protection. So they’ve basically just gone. You know what? We’ll just completely ignore it if there is anyone in the world that requires DDoS protection. It’s those providing financial platforms because that’s what the world runs on finance. It’s money. You know, nobody stop for free if you haven’t got a financial platform. You know, let’s say Barclays went down for debt. It would be on meltdown. They’ll be like no money rolling around. You know, people will be able to be paid. And that’s what we’re trying to get out of, is this is critical infrastructure and it should have those DDoS protections. And if there isn’t, if they haven’t done it already, they definitely should do it now because obviously there’s evidence their have been targets. But not only them. People in other organisations, in other countries as well. You know, anyone in the UK, data stocks are becoming more and more regular, larger in size. It just pays dividends to, you know, the fact that they need these protections, whether it’s Eurostar, Azure, CloudFlare, project shields, AWS shield. There are countless ones out there. And they really do need to seriously consider data protection.
DAVID TAYLOR [00:31:18] Definitely seems like it over. It’s quite simple attack, isn’t it, in terms of sophistication? It’s just like a brute force shut it down.
JOSHUA READ [00:31:27] It takes a lot of planning. Obviously getting a bot net of hundreds and hundreds of machines and basically pointing them at one one end point. One area is quite a substantial time. Time cost. Well, time expensive exercise book. it’s very, very effective. So people really start taking it seriously.
DAVID TAYLOR [00:31:55] Definitely. All right. Well, I think that’s all we’ve got time for this week. So, Josh, thanks for your input. As I have some really interesting background on the stories and if everyone else is watching at home. Join us next week for the most top cyber security news story. Catch you then.