Secure With Celerity Episode 6
Hello and welcome to Secure With Celerity, the show where we digest the week’s top cybersecurity news stories in around 30 minutes. I’m your host, David Taylor, and today I’m going to be rejoined by a couple of cybersecurity experts from celebrity. We’ve got Josh, we played cyber security analysts and we’ve got our technical architect for security, Steve, later. How’s it going, guys? Are you.
[00:00:29] We all got that Friday feeling. Oh, yes. Just about just about Blue Chip. Let’s get this over with. We’re going to crack some of our first story, which is about Google is about to receive or has received a five billion dollar lawsuit because they are actually tracing and tracking people’s Internet usage and even though they’re in the incognito or private mode. And so I think we’ll digest that a little bit more. But I think one thing that jumped out to me is and one of the spokesperson said is that actually when you go in incognito mode, there is actually a notice that says some websites might actually still be tracking your data.
[00:01:11] That’s right.
[00:01:12] And the guys, yeah, this thing has been long speculated about how private browsing, incognito mode and private modes actually are.
[00:01:25] There’s been countless investigations into, you know, is i.e. actually private is incognito mode on chrome, actually private and bottom line essentially. Isn’t this numerous things you can do on Chrome to stop it from sending? You can send out do not track requests in the settings so that when you went on a website you send a response to the website saying do not track who essentially does that. Many organisations collecting data.
[00:01:58] It’s incredibly hard to keep track of. I think Google’s been. Called dumbfounded by this lawsuit, they think that the complaint was filed at the federal court in California, and essentially it’s because Google gathers debt through Google Analytics, Google Azure and other applications that website plugins. But then there’s also smartphone apps as well that we’re also collecting a part. It’s just been going on since twenty sixteen.
[00:02:33] But we.
[00:02:35] There’s long been speculation, especially in the cybersecurity world, around privacy, about users being profiled online and essentially you have in a purse a Facebook like profile on you somewhere on the Internet with all your website, visit trend patterns and what you’re most likely to buy and correlating that across from numerous, numerous different vendors. It does seem pretty surreal that somewhere out there, that could be almost a Facebook marketing profile. I would say Facebook, but a marketing profile of you and your buying habits, your website has it habits and so on, so forth. I think that that they looked at what they found in this investigation that supposedly they found was that Google learn about users, friends, hobbies, favourite foods, shopping habits, and even the most intimate and potentially embarrassing things.
[00:03:47] However, that wasn’t specified. So I can only suggest that it’s stuff that you wouldn’t want the general public to know, like your browser, your browser, the way your browser to what websites you’re looking at, what you potentially buy, and whether it’s explicit or personal to you.
[00:04:07] But it comes as no surprise to me that this has happened in the browser incognito mode really is to to sort of stop the tracking of local stuff, cookies and all that kind of thing for that section. Once you enter somebody else’s environment or somebody else’s platform, then there’s no real guarantees that you’re going to be stopped. Anything’s going to stop them from tracking what you’re doing or watching what you’re doing. And I think that’s where the likes of the various browsers warnings about that. You might you may still be tracked. And obviously, if you’re if you’re using browsers within an enterprise or an organisation, it still doesn’t stop them saying which websites that you’re visiting or anything like that. They go on for a proxy or they can all the network traffic as well. So it gives you some level of security, I guess. And there have been many, many studies about, say, whether whether these whether there is any truth to true incognito mode and really probably not. So, yeah, and people I think people’s perceptions as well and rightly so people shouldn’t, I guess, be tracked. The information shouldn’t be tracked. But because of the nature of technology, you obviously get people, organisations where that data is very valuable to them from marketing perspectives, from from general, because it gives them it can let you say it profiles you, it puts you in your particular pocket and you can then be targeted with with targeted ads or anything.
[00:05:49] Yeah, I think one thing since GDPR law’s been brought in, I would say everyone’s been forced to make the privacy policies and then all the shenanigans and make sure that users are consenting to give that data away, essentially. And I think that’s really brought to fruition how how actively used your data is. And based off some links that I’ve clicked on on Facebook, you land on a website that’s, you know, telling the story you really want to read. And instantly you get hit with the yes, I consent to this or no, I don’t want to be tracked. I don’t want my information being sold. And then you actually if you go down, click about five links into that, you eventually find out what they’re selling and that NATO and the information that the information that they sell is frankly shocking. Well, and you sit there and you think, well, what use would this be to someone?
[00:06:49] But then you think maybe I don’t want this to have been used. So you when you click on it on a website, is easy enough just to say, you know, there’ll be a lot of dark patterns and databases on that website to force you to click or persuade you to click. I agree or yes, I agree. I consent or essentially you shouldn’t be really doing that. You should be reading into what there is where it’s been sold to, who has access to it, because essentially what you’re doing is giving away all your information. And it could potentially be used as a profile against you.
[00:07:25] And it comes down to it comes down to people’s personalities as well as some people. There is a lot of apathy sometimes about this, about those that consent. Some people aren’t paying attention to it. Some people don’t even know it exists. Some people are just apathetic about it or the people in the case of the law that there is lawsuits and are very proactive and defensive of their data. And probably that is the right way to be. But, you know, you’ve got a whole whole spectrum of people’s opinions and feelings on it. So some people are very, very protective of the people don’t don’t really pay much attention to it.
[00:08:00] So I think I think since GDPR as well, like every single website has it on. And, you know, if you think how many websites pages we go on a day is tens, if not like hundreds, when, you know, if you’re doing some big research. So it’s so easy just to say, yep, I can send I can just to get out of the way so you can read the story. And I think it’s kind of a lot of people just say is like a thing to click, to get other content and not really thinking too much about it.
[00:08:25] And some people probably don’t even read it. They’re just so used to buttons flashing up that they can’t get to what they want unless they have gotten they pressed the button without really understanding what it’s doing in the background. Yeah, and GDPR some people and all of those things have ever been brought in to try and get some control and make some give some accountability about it as well. So and rightly so. Yeah.
[00:08:51] So I think it’ll be an interesting one to watch. It’s to the tune of five billion, the lawsuit says itself.
[00:08:58] So says that equates to five thousand dollars each. That’s what a million people I’m sure there’s more than a million people who may have been affected by this, but they will get the money. Yeah, Google’s obviously got pretty, pretty sweet legal team. And like I said, the spokesperson for them came out and said as clearly, clearly say, each time you open and you can continue to stop, websites might be able to collect information about your process.
[00:09:23] So, yeah, that should be the trail. Yeah. Yeah.
[00:09:29] All right, guys, let’s move on to our next story, which is there’s been two more critical flaws found in Zoom, the video conferencing app that we’ve all probably been using since we’ve gone into lockdown. Right.
[00:09:43] Really thinking I think one of them is to do with a gif meant that if someone was to send you a gif, Zoom wasn’t actually scanning to see where the source of the gif came from. And the other one was sending in different code SAP HANA. snippets of code that was put them in zip files that can be scanned over for any malicious stuff.
[00:10:02] And we got more than just.
[00:10:06] Yeah. Those two venerability. Well, two floors found by Cisco tell us there were responsively disclosed to Zoom, which is the right way of dealing with these vulnerabilities. It means that much Divvy Cloud. Yeah, well that doesn’t mean these responsibilities because it gives a time for the vendor to patch it before all the users are left with their trousers around their ankles and the attackers have a potential Taxco to hit. It’s I mean, the both exploits are quite heavily scored on CBS as the gift for ability, which was a application to arbitrary file.
[00:10:46] Right. Vulnerability was scored. Eight point five, which is quite high.
[00:10:53] It was basically in order to trigger the vulnerability and exploit it and attack would have to send a specially crafted message to a target user or group. The severity of this removal is partially migrated by the Zoome client will hand the string to a different form, a different name, sorry. And if this prevents the attacker from creating a fully controlled file with the with arbitrary executions, it was partly that’s the problem with abscess goes from face value. Yes, it may seem vulnerable, but you need to read into the context of it how to exploit it. Is it easy to exploit? Is it really bad if it is exploited and not something that CBS doesn’t necessarily really break down very well? But again, as I said before, these have been patched in the latest version of Zoom. And an interesting thing on this. Every single time I’ve gone to that zoom, I’ve had to click the little profile picture in the top right and click check for updates. This time it was done automatically. So whether it’s because of the severity of these vulnerabilities or whether it’s just Zoom’s audio switch to patch release that now, as soon as you power on the application, I’ll have it open.
[00:12:18] It will automatically update. And I’m sure it should. I don’t know. Well, I know a few applications out there that don’t do it, but I think all IoT applications should automatically update as soon as you start using them. It’s in the user’s best interest. I know my girlfriend’s a big effort, not update in various applications on a laptop and I tell her off doing it. But you know, these things are released to protect the user and these things are released to protect.
[00:12:49] Protects your information to protect the data.
[00:12:52] Yeah, and this second vulnerability was a application code snippet, remote code execution vulnerability, and that was given a severe set score of eight, which is slightly less than the previous one. And to exploit this one, an attacker would need to send a specially crafted message to a target user, a group again. And for the most severe effects, the user would have to go after the user interaction so it could be exploited or partially without user user intervention. So that, as in the can opener in reading the message and doing some, then if the user did interact with the crafty crafted message, then it could have been much can be a lot more severe. It should be noted, even if the target use delegates, the file upon release, realising it’s bogus, the Zoome client will read, download, just try and honour.
[00:13:59] But sorry, and still downloaded the same file path, but, yeah, it’s I’m not sure if that’s been changed in the latest update, it’s. I bet, Charedi, that it tries to re download it after you’ve deleted it doesn’t seem good.
[00:14:16] It’s not like you and I don’t really understand the function of that one, really from a zoom perspective. But yeah, I think in summary, without user interaction, it can be abused to plant arbitrary boundaries on a target system, a constraint path potentially used to exploit another vulnerability bill with with user interaction boundaries in almost. Arbitrary paths and can potentially override important files, the leads that can lead to arbitrary court executions. It could be a very nasty, nasty Pannovate if it’s exploited. I’m not sure, if any, in the wild attacks being used to target this. It’s the same as everything is announced and there’s a big of what we’re going to do. I’m really scared. But then actually there’s no proof of exploit. There’s no in the wild attacks happening.
[00:15:16] So what I would do is I wouldn’t I wouldn’t say bet your bottom dollar that it won’t happen. I would say update. You zoom as soon as possible, because all the while it could be nasty.
[00:15:29] Yeah. So it’s always the recommendation. Keep all your software up to date. Yeah, definitely the bodiless.
[00:15:36] Yeah. Good good. Security hygiene.
[00:15:39] That’s what we want. Right. So we move on to our next story, which is that old spreadsheet microtech newly popular with criminals. So I guess this is the one about Nako has been used. Mako’s been around for about 30 years or so and but it’s actually create a new wave of cyber attacks or a continued wave that seems to be evolving.
[00:16:02] And for some research that we found right now, the versatility of this mud and the how how it’s developed over the what you usually see with cyber attacks is they usually developed quite a well structured way of doing things and the change.
[00:16:22] Really, the only thing that changes is the way the fixes itself from detection systems, but this one is is developing. It’s such an agile threat, the amount the amount of times it’s changed over the course of the last two months.
[00:16:39] So it’s interesting to call it they’ve caught it early, isn’t it? It looks like they’ve caught it at the beginning of its development cycle as it’s starting to filter out into the wild and also being able to track it as it has as its capabilities and obfuscation and the different techniques that have been brought into it are developing, especially on a was a 30 year old technology. You know, microbes have been around you, probably you, too. Probably can’t remember when before microbes were about one time. Yeah. So microbes in other areas have obviously been used for quite a while and to deliver threats. But but this one seems to have almost bypassed everybody or and but also the fact that people are having difficulty in spotting it as well, because it is actually a piece of the the the spreadsheet technology and it is a legitimate uses being able to track it and and actually prevent the execution of these microbes. This is probably quite difficult to do because, like I say, you could end up blocking legitimate uses and the macros have been around for a long, long time. So they’re probably embedded within enterprises everywhere and organisations unusually regularly. So how do you how do you stop the malicious micro and allow you, your departments to keep on functioning with that, with them if they’ve written?
[00:18:11] So I think the danger here as well is the macros are incredibly easy to write.
[00:18:19] You can have a macro the when you click a certain button on, you know, enable a fake enabled content button, it takes you to the official website or something like that.
[00:18:32] Could be written in about 30 seconds. And that’s why it’s so dangerous. But then, as you said before, there are genuine business purposes for macros, IoT spreadsheets of macros into my working life easier. And now there’s plenty of colleagues that have them. So they’re not a unknown thing within the business world. And and having the email is have the ability to block certain macro enabled document file extensions.
[00:18:59] So the likes of your Excel file will always and Excel s and and I will AIX is a standard, but then if it ends in M, then it’s a macro version of it. OK, and the same for Dockum if service DR instead of DR AIX, then it’s essentially a macro and you can block those file extensions on your email.
[00:19:25] Like, like you said, there’s, there is genuine business purpose. You need to DM, you know, the volume of macros that are used for genuine business purpose outweigh the risk for macro related threats.
[00:19:39] And that’s something that is going to be different for every single business and something that probably needs to be done on a case by case basis.
[00:19:47] And if you have a need for Excel sheets being sent in via email, send it to the organisation and then you’re going to have to you’re going to have to allow them through. But if you don’t, then you can you can block them to stop them getting in. If they’re only circulated internally and you don’t want those things coming in from the outside or the file types as well, you know, if you don’t need them in Europe or you don’t expect them to come into your organisation, then and stop them from coming in. I think I think probably with this one, though, it’s probably the speed and that that the researchers have been able to see in the development of it as well. Yeah, seems to be quite, quite a rapid development. It’s a time.
[00:20:32] Yeah. The first widespread campaign was on the 14th of February and that the research group found and it was the first large scale bad no no obstruction tactics in the document it downloaded downloaded via DICKON and is evasive evasion techniques was mouse and audio techniques. And comparing that with the latest one there is so much development is ridiculous. So essentially there’s a long timeline of what’s happened. So it’s gone from having just a basic Excel spreadsheet through to cells being scattered around the she could is hidden in white font. There’s. What else is that payload hidden within dozens of macro sheets, so they’ve spread out the payload on the actual macro code across various sheets to make it harder to be detected.
[00:21:34] There’s been operations nested in character, foma parameters and quite sophisticated quite a bit, and probably because of the simplicity which can develop a TNT is a fairly organised and regimented development roadmap in mind. Keep it keep it simple, you know, to get it out there and then add the functionality that they want it to as they’ve gone to and to basically speed up and get it out into the wild and usable.
[00:22:09] It’s about 11 or 12 like iterations of it within the five year period that they’ve been doing.
[00:22:16] So I’ve got some examples of the of what the Excel spreadsheet looked like on the on the presentation screen. So the office one in the bottom left is essentially you open your Excel spreadsheet and document it, use an application not related to Microsoft Office reviewing or editing. Please perform the following steps. It’s the classic enable it to enable content. And that’s what we’ve seen with the scripts and all really my office products, phishing attacks and malware attacks. So the.
[00:22:53] And then when you click the enable content, it comes up with a we found a problem to with some content. Do you want to recover as much as we can? You click, OK, and that’s when the juicy stuff starts happening. So, yeah, it’s it’s not pretty. The the graph at the top, that was the the three activity across the time period. So there were drips and drabs happening at the end of December. But the first real hefty campaign started mid February.
[00:23:27] And as you can see, as we’ve gone on, I think the end there is the 30th of April, which was last week. That’s it’s died down a bit. But if you follow in the trend of what’s happened, it’s probably going to pick up again next week. So it’s definitely something to watch. It’s developing threat and the agile ness of this threat as well.
[00:23:47] It’s you know, it’s a macro will always be a pain in the arse. It’s there in the cyber security, whether a nightmare or a nightmare to to manage every single time. I think you the various techniques that are used, whether it’s VB scripts, whether you know, whether it’s just a plain old macro, there’ll always be a threat because essentially all you have to do is click a button and you’ve compromised your machine and all that, but needs to enable content. So, yeah, it’s it’s not good.
[00:24:23] But I think the way to sort of protect yourself against it, it’s got to be around sort of employee education, I guess, like simulated fission.
[00:24:30] So using your people as, you know, your last and your best line of defence, because if if email filters aren’t going to pick it up, you basically have to train your employees to go up and send this random spreadsheet.
[00:24:42] Don’t know who they are and, you know, get in touch with a software team just to.
[00:24:49] Basically, if it gets SAP HANA..
[00:24:52] And again, protect and I think at the moment, well, it’s been like this for a while, but I think email is a. How do I put this drimmer revamp? I think the technology, yes, it works, but I think they can’t compete with the with the flexibility of attack types.
[00:25:18] The tactics at the moment, having having an email filter alone is a single single entry point. Protection is simply just not enough anymore. The versatility of attacks, you know, I’ve said it a long time. And if there’s phishing emails detected in the process of detecting phishing emails, it’s almost impossible because their sole purpose is to replicate genuine emails. And if you receive the phishing email that has a link in it, that goes to a website which then subsequently downloads one of these Excel macro enabled documents that is talking to a command and control server somewhere in Russia or Ukraine, and then that’s pulling down secondary malware, which is the Tractable Trojan, and then that’s stealing your information and doing all that.
[00:26:11] The full lifecycle and the common denominator here is your email filter. If your email for the picture of that email, none of this would have happened. And what the problem is, is email is at this moment in time, I don’t believe there is one contender of an email filter that can provide the protection that anyone would need to stop phishing attacks. And I don’t think there ever will be that phishing emails. So the person on Earth is to replicate genuine emails in a malicious act. So it’s it’s a difficult one.
[00:26:47] And I suppose also the idea is a lot of bring your own devices and that kind of stuff. You know, people will if they need to, we’ll probably send corporate emails to personal email devices or email addresses and that kind of stuff when they’re out and about, if they’ve got problems. And there’s a number of things that could circumvent and compromise various devices around that then bypasses the corporate email filters. We start to see, I think I and that kind of stuff creeping into into everything now. So things will get better and things technology will be will improve. But ultimately, you in an arms race, you know, I’ll eat my hat.
[00:27:27] If if there’s a tail out there that can detect 100 percent phishing emails, I’ll eat my own heart, because as you know what, it’s a pretty big cat.
[00:27:41] Just to get some more than four guys over to our final story is to crack.
[00:27:48] It had a quick global global mobile phishing encounters have surged by thirty seven percent of its shift to work from home.
[00:27:57] I’ll be surprised, guys not really know. And because of that, obviously because of the shift to work from home, because of the covid-19 companies that are really probably increased that number of phishing emails by quite a considerable, considerable amount. And also the fact that on a mobile phone, it’s probably harder to spot phishing emails.
[00:28:20] And that’s the main thing for me, how the data show so often I get phishing emails on my burner email account, I like to call it that. I signed up for digital phone and it’s when I said dodgy, I mean like, yeah, yeah, yeah, yeah. But yeah. So I’ll get emails on them and I’ll think, well this actually looks quite genuine. I’m quite intrigued at this. I’ll, I’ll just load it up on my computer and I’ll have a look at my computer and see if it looks any different. And on computer it looks the worst email possible. But then back on my mobile it looks like it’s actually come from Microsoft themselves. And it’s like, you know, yes, this this technology is out that, you know, mobiles, they’re designed to make things look good on a small screen. If you’ve got you know, if the email looks terrible, but your mobile is doing its best to make it look good, even though it looks rubbish. So that’s one it’s taken out. One of the you know, you’re working on a smaller screen. There’s a number of different external environmental factors that play its part on the success of mobile fishing. And it’s yeah, it’s it’s scary. I think the the release, quite a substantial report did look out. I’ve got a look out on my phone, not by choice.
[00:29:44] It just installed itself because I’m I have a Samsung. Well, I think they found eighty five percent of mobile fish happens outside of email apps, which is again, another thing which I’ve seen a lot of is Facebook phishing. You know, you’ll always get the person saying, oh, this. Product is really good and it’s a weight loss tablet and it’s like, OK, and then they’ve obviously they’ve click the link of their Facebook details, had their Facebook account hacked, and then now the distributor of the social engineering material because the hackers got on their Facebook. And again, it’s annoying is I think I don’t think Facebook does enough to stop it. I think I consistently say it’s been a problem for the last 12, 12 months. And I think every single day I go on Facebook, I think one of my friends is being idiotic and clicks a link and submit their information for a weight loss tablet. So, yeah, annoys me.
[00:30:47] And it seems to be growing as well as mission Facebook. Obviously social media platforms, traditional fishing and people responding to it on mobiles. And interest in some of the statistics were quite interesting about the fact that in a corporate environment, a lot of people will click on it once and then they’ll learn from the mistake and not do it again. It’s flipped around and sort of personal space where the more phishing emails you get, the more chance there are that you will click on that phishing for a phishing email at some point in the near future after multiple attempts. And also that that. You know, when when you scale that up, especially like we’re talking about before, bring your own devices, when you scale it up to tens of thousands of employees, then the chances of somebody clicking on it on a fishing link is greatly increased. And the chances of somebody submitting something out of that tank, that ten thousand is greatly increased as well. So all of a sudden, corporations and enterprises have to deal with the fact that from a risk perspective, thousands of people potentially could submit some data or a risk of submitting some data that could then allow an attacker into an organisation. And I think that’s quite a bit of the more employees you scale up in terms of your organisation, the greater the risk is that somebody is going to press that button and then you’re relying on your technology, your security to to prevent and detect and alert that that that incident or that that attack. And if none of that operates correctly, then that’s when that’s when the real problems start.
[00:32:34] Yeah, is a nightmare.
[00:32:38] I actually received one or two emails this morning, two fish and ones from was it from Microsoft? Apparently someone who tried to get into my Microsoft team’s account. But it’s actually went to my personal Gmail account, which obviously raised some red flags, but just IoT to go in, almost like for the email just to be able to see the actual email address because it just says Microsoft team. So I said we talk about this every week about my job. I’m quite a little bit more savvy than the average person, but anyone else who’s seen it and if they had actually I got Microsoft teams or maybe that had gone to work account, might not even think twice about it and might just click on those links because I’m sure.
[00:33:15] Yeah, chiqui, if guys try to fish me on a Friday morning. Not and not today guys. So yeah. So mobile fishing, I think everyone’s using mobiles. A lot more people are working from home just to take it back towards market and more Misratah thing. And in terms of your what if your websites are not optimised for mobile, then you actually rank lower. So I just hope everything’s shifting towards being on a mobile.
[00:33:43] So all the evidence put in the right direction, that that’s where cyberattack is.
[00:33:49] Probably I got the most traction in that report, I think by twenty twenty to seventy five percent of smartphones used in the enterprise landscape will bring you bring your own device, which is up thirty five percent in twenty eighteen. It’s no surprise, you know, if you’ve got Cloud environments, if you’ve got more fact authentication, users are going to have to have a mobile. If your company doesn’t supply mobiles then they use the personal devices and that’s where the danger lies. Is is the merge from work environments to home environments and the working and personal life environments merge on one device. And that’s essentially a hobbit breeding ground for hackers and is where they will go to get their information. You know, if you’ve got if you can hack a device or steal information off a device that has Azure work and personal life, you hit into two birds with one stone. It’s simple.
[00:34:49] I guess it all comes down to your objectives trying to do what your objective is to to get what information you want, whether you just just want to see what’s available.
[00:35:02] Yeah, you.
[00:35:05] That’s all I have on that one, sir, and the other thing is the amount of people organisations don’t want to supply mobile phones anymore because it’s a cost they don’t want to consume and they don’t want to have to deal with, especially if you’ve got remote workers now, which potentially the new future, you could it could increase costs significantly if they’ve got to provide a mobile phone to everybody.
[00:35:29] If you’ve got a mobile phone, you have to have an MDM solution. And an MDM solution can be quite expensive and expensive to maintain and inform restaurant if necessary. Oh, yeah, we’re in times.
[00:35:45] All right, guys, that’s all we’ve got time for video, definitely just monitor those stats moving forward for the rest of 2020 as everyone probably won’t be working from home for at least another few months. But thanks for your time today, guys. I think we covered some really awesome stories and some really good information. The Mako’s bit, when I was looking at the links, kind of blew my head off a little bit in that.
[00:36:07] Well, note about them all. But anyway, thanks for your time, guys. I catch you guys next time. Everybody else, thanks for watching and Secure with Celerity, we hope you enjoyed it and got some really good, useful information. Join us next week to know some more top cybersecurity stories of the then.