Secure With Celerity Episode 11
DAVID TAYLOR [00:00:32] Hello and welcome to Secure with Celerity. The show we try and digest the week’s top cybersecurity news stories in about 30 minutes or so. I’m your host, David Taylor. And today I am joined with. Steve Laidler and a new guest to the show. We’ve got James Maynard here is one of our cyber security’s analyst. How are you doing guys?
STEVE LAIDLER [00:00:50] Hi, Dave. Are you alright?
DAVID TAYLOR [00:00:52] Not to bad. Some of us seems have got away from us up in the north. But I would crack it on, not too bad. So our first story, let’s crack on with that. We’ve got that new Dark Web audit reveals 15 billion stolen logins from around a hundred thousand data breaches. Now, I believe the guy hacker is I think also it is from an audit from a company that done it wasn’t that safe.
STEVE LAIDLER [00:01:18] Yeah that’s right. So basically, some researchers from the Digital Shadows Photon Research Team spent a number of months, about 18 months, I think, auditing various Dark Web and marketplaces. And they found that since 2018, the number from credentials available to various people on the Dark Web has increased by about 300% and they reckon round about 15 billion accounts from about 100,000 data breaches are now available on the Dark Web, which is a vast amount of credential if you think about it. And they reckon that’s two for every man, woman and child on the planet, which is a serious amount. And of those 15 billion, about 5 billion of them are unique credentials that not being duplicated in those numbers. And you think about what they could be used for and the different services across everything. Banking, music services, web services and administrative accounts are then available on there. And I guess the really interesting point is you know, most of these are available for free to be used by almost anybody. But on the flip side, that there is almost a commerce occurring, depending on how important or, you know, the perceived value that these accounts have. So when you lose an account or to add to a breach, depending on what it is, whether it’s a, you know, a domain admin or it’s your library log in or, you know, something along those lines, depending on the potential attacker or whoever wants to buy it or get a hold of it, you know, people may hold those credentials back to then, you know, sell them to somebody else. And the value increases, depending on what you know, the desirability and you know, how new it is and how fresh it is, if you like, from a breach. As to whether, you know, it’s being locked down already. Presumably, you know, a lot of people don’t realise that the breached and therefore, you know, the value of that of that of those credentials are much higher. And I think some of the figures, you know, you’re probably looking at seven, seven or eight pounds for a low-value account, you know, maybe eight, maybe a standard Spotify account or something like that. Increasingly fifteen, twenty pounds for a know media, banking logging, I think we were talking about yesterday all the way up to a hundred thousand pounds for a domain admin because somebody who, you know, perceives us to me not meant to be worth a lot of money based on the return or the access that it’s gonna give them to further information and then be able to further drive more revenue out of an organisation because of whatever data they can get. You know, it’s worth spending that 100,000 pounds, 95,000 pounds to get a credential because the return on their investment is going to be far greater.
DAVID TAYLOR [00:04:59] You know, I remember looking at them and I think it was saying, you know, you’re talking about different prices of things. And I think the average online of banking or financial log-ins was about 56 pounds. It’s quite dressed that say that only the I guess banking and financial log ins equate to about 25% of the old advertising slogans that they had on that. So, you know, the core of them all being banking is quite significant. That’s the stuff that you don’t want to be getting into the hands of the biggest hacker.
STEVE LAIDLER [00:05:27] That’s right. And again, it comes back to, you know, from a financial perspective, you can say the economy of the scale of things is, you know, anything financially motivated. It has a perceived increase value as you expect above, you know, a standard account firm, maybe, something like Spotify and something like that, whether that, you know, the gains of, you know what can drive from those is a lot lower. Almost like you’re the market, really, you know, cause whatever it is, whatever the perceived value is of the thing that you’re buying. You know, it’s the same and it’s the same in credentials and public that you get across all sorts of, you know, whatever leaked data really is dependent on this confidentiality. It’s you know, it’s perceived value. It then becomes more expensive to buy.
STEVE LAIDLER [00:06:21] James are you surprised at how many are on there? I know this equates to about two logins per person on the globe, but I’d be amazed that that’s like. How many accounts do you guys have? I know I’ve got probably like 15, 20 accounts easy I can think of the top my head that I’ve got logins for. So 50 billion, a lot. I’m not too sure if it’s I’m surprised by it.
JAMES MAYNARD [00:06:46] When you think about how many accounts your average person house, when you look of Amazon and Spotify, every single thing. I mean, how many of them are linked together? Because if you think your Amazon account, you password, but you may even find over six accounts and they all have the same password. So, for those, how many billion accounts may only be one person if I lost 10 accounts? What sort of thing?
DAVID TAYLOR [00:07:08] Yes, I think that. I mean, what can people do to solve? Is it just about changing that password, James? Or, you know, how can people help mitigate it?
JAMES MAYNARD [00:07:21] So refreshing the password frequently is probably the easiest thing you can do to not get caught up in this, because even if, hypothetically, your password has been breached and leaked, if you’ll change every two weeks, that information is pretty much useless systems by your account, details about all they’ve changed it. How long ago, let alone without your password, is more complex in the first place. It’s less likely to be corrupt if your passwords just password123 the chance of it in this sort of breach goes, it skyrockets compared if you have a unique, difficult-to-crack password.
JAMES MAYNARD [00:07:53] And we could also throw in things like multifactor authentication as well. So, you know, and obviously, an additional layer of security into it, assuming the platform that you’re using has multifactor authentication and is capable of doing that, then certainly having that facility available to yourself is very useful. Even if people get pass the password, cracked the password, then chances are they’re not gonna beat the 2 FA and that’s gonna stop. I think the other thing as well to mention is, you know, is the fact that this seems to be an almost a reciprocal kind of approach to, you know, where if a breach happens and there’s a database of passwords or some encrypted passwords are found, then it’s almost sometimes that information would be then passed to the community to then crack the passwords and the passwords, then once cracked, then seep back into the ecosystem. So it’s almost like to perpetuate an ecosystem of passwords and mutual help, you know, to ensure that those passwords are then filtered back into the pool.
DAVID TAYLOR [00:08:58] Okay, good. So let’s move on to our next story of the week, which is so hacker leaks passwords for more than half of million servers, routers, and IoT devices. And what I remember from it was that the hacker itself was on the, I think it was ransomware as a service or DDos.
STEVE LAIDLER [00:09:19] Yeah, that’s right. So this really feeds into I guess that the story there that we were just talking about is, is this is almost an example of, you know, information type password usernames, et cetera, being then put into the Dark Web and dump there. So this was a dump of a telnet resource username and passwords. And telnet is a remote access protocol generally used around, it’s been around for quite a while, quite a long time. That is almost a full room to, I guess, SSH and allows users to access remote machines. Usually, Unix like terminals and Unix like systems is really where it came from. And was often used in back in the day because, you know, people will be connecting to systems within a particular organisation within, you know, within an organisation’s perimeter. Wouldn’t we wouldn’t be traversing something like the Internet, you know, that may not exist at that time. So it’s sort of encrypted. Any traffic that’s passed via the telnet protocol is only encrypted and that means that if somebody can get him between the source and the target of the telnet traffic, there is potential and to sniff that traffic and capture using the passwords. This one was a little bit, this attack was a little bit different to that. It was basically somebody sitting on the Internet sniffing, looking for telnet devices, whether that’s home routers or servers that we’re using the telnet protocol across the Internet and trying, you know, a brute forces passwords of default passwords or common passwords to breach them. And then building up an inventory of those devices for thousands of devices on the Internet and using them as a botnet for distributed denial of service attacks. And I believe that this trove of them usernames and passwords which was released onto the Internet because the attacker who is running the detail service switched his mode of operation, switched his model of service from, you know, distributed bottlenecks based on these devices to a more Cloud-based server platform where we wouldn’t necessarily need all the devices sitting up on the Internet. It already created each of us server farm based on a Cloud platform. So these password usernames were released onto the Internet. So for them for use in that scenario.
DAVID TAYLOR [00:12:06] So it’s quite annoying. I guess the hackers are really embracing this digital transformation.
STEVE LAIDLER [00:12:13] It’s probably maybe you know, for whatever reason, maybe it’s a more efficient operating model. Maybe it’s easier to manage thousands of devices all over the place. It’s very much, you know, and probably can scale it from on a Cloud platform without having to, you know, add another 10,000 rogue devices. Security is probably getting better because things like telnet generally, you know, certainly the Unix world part of harden systems, you’ve turned a lot of services off. A lot of people will turn telnet off and move to SSA because it is encrypted and it is a lot more secure than the traffic is encrypted and not plain text. You know, that’s not to say there aren’t gonna be devices sitting out in the internet, and it would telnet. But generally, there is a move away from telnet as a remote protocol.
JAMES MAYNARD [00:13:02] This doesn’t look to be about the sophisticated attack, it makes it your to be looking for default passwords or crack passwords. So obviously, aside from what Steve just mentioned and turn of the protocol could be changed or password refresh your password recently. So it’s so much to our last story we had. It’s just sort of having about vigilance in your security hygiene to think, okay, we’ve just got something new in. Change the default password. Make sure it’s not the same as other things. I would head and shoulders for it. Yeah, that’s right.
DAVID TAYLOR [00:13:31] Well, I think you’d like to think I mean, WiFi routers as you might understand that someone just kept it’s default password. But I’d like to think the cinema’s probably running on the default password that they came with?
STEVE LAIDLER [00:13:44] So you’d like to think so. I mean certainly from a server perspective generally, that comes like route and that kind of stuff will be changed and severely hardened or turned off completely and other methods used to get to the admin. But then again, it really depends on the device. I mean, a lot of these home devices and so likely a lot of servers are going to be directly connected to the Internet. The more likely to be behind firewalls put and use the devices probably, you know, especially where the skill set is low in managing these things, then it’s likely that somebody might change the default password. They may just plug and play, you know, plug it in. And the way they go. The passwords generally get set to, you know, random alphanumeric characters. But that’s not to say other devices that, you know, on set to, you know, admin password combination, which is a good old favourite. So it’s probably safe to assume that a lot of these things are a set to some fairly rudimentary password. And the other thing, as well as out of that list, I think was coming how many devices were actually listed in it, half a million, I think, of those half a million of devices. And then some of those by now, I think that were in that part, that list was 2019. Some of them are gonna be dropping off. You know, there’s still a password of change. The IP addresses of changed. The credentials would have changed. So that was that list now would probably be a lot smaller than it was. Maybe some of them being thrown in the bin or recycled, I should say. Recycled in a responsible manner.
DAVID TAYLOR [00:15:24] Of course. Of course. So, yeah, same as last time. People should be changing their passwords quite frequently and to avoid that. Right. Let’s move on to our next story. Which is the DDoS attacks. The number of DDoS attacks even has jumped from 542% from Q4 last year to Q1 this year, which always surprised about these guys?
STEVE LAIDLER [00:15:48] I guess it isn’t less surprising, but it’s more almost than that. It’s in keeping with the current situation. Because of the COVID kind of situation, a lot of remote working now, as we’ve discussed in previous some previous weeks of this show, is because people are working from home. That means that they’re obviously going through their own service providers and therefore the service providers themselves have become a bit of a target for an increase DDoS attack force, presumably to knock people of the Internet just cause annoyance. But again, if there’s you know, as I’ve seen before, if there’s a certain situation that arises from it, from, you know, whether it’s political or whether that’s social or, you know, in this case and, you know, almost like an economic and working perspective, then it automatically becomes almost a target from a cybersecurity perspective as well, whether that’s phishing. But in this case, it’s a data perspective. But certainly the numbers have increased quite a bit in the last, what half a year? I think that previous percentages were back end of 2019 what were quite high. And then it’s jumped, you know, even higher in the first quarter, first half of 2020. So yeah, I don’t think that the numbers show that there’s an upward upward trend in these attacks. I think, you know, what was it? One of the large providers also knocked away a large DDoS attack as well. I think it was I recently did a lot of the largest packett per second DDoS attack recorded on the company’s platform. So certainly it’s almost like, you know, bigger is better when it comes to DDoS. And you know that in some circumstances, although the trend also seems to be, you know, a smaller attack, smaller and less obvious attacks as well. A lot of network intrusion detection equipment looks for patterns, especially where A.I. or pattern matching or Machine Learning’s involved. It looks for patterns in the network traffic. So trying to slowly increase and change the baseline of something that’s looking at traffic in that way and getting growing bigger and bigger or, you know, trying to change the network, the network pattern to then sneak these DDoS attacks through the mitigation technique and engines that are trying to stop it. Seems to be more smaller attacks. Shorter attacks with a high packet count.
DAVID TAYLOR [00:18:37] When I was looking at this, I’ll go back to the story. So it’s 542% jump for Q4 last year to Q1 this year. But also note that it was a 278% year on year increase over all so a bit smaller than that, but still quite significant. 278,000, 278% even. I think we’ve covered that the largest one that you’re talking about was one, two, three terabytes per second DDoS attack. So that was in February this year. It just to show how things are growing in size and force. The previous world record holder was GetUp! And that attack was 1.35 terabytes per second. So they almost double that in about two years. Yeah. So who knows what could happen if you look at the DDoS attacks for this year and onto the next ones?
STEVE LAIDLER [00:19:31] Yeah, it seems to be ever-growing, doesn’t it? that that the amount of traffic that gets thrown in during these DDoS attacks is substantial. You know, and again, it’s all designed to the actual what the attackers are aiming to do can change depending on who they are and what they’re trying to do or trying to achieve without services off the Internet, whether that’s you know cripple, the actual overwhelmed that the network in ports or whether overwhelmed the web services. I mean, we’re seeing, you know, standard things that there on DDoS attacks, isn’t it? You know, it’s a similar kind of thing. When Ticketmaster releases like the latest band, you know, it knocks off that sometimes that will overwhelm the web services. This is really trying to do it for nefarious purposes rather than just innocent purposes where systems get overwhelmed. It’s trying to, you know, take those systems down for. And that causes a financial or a reputational impact to whoever gets hit by this.
DAVID TAYLOR [00:20:31] Do you think people are? I mean, I think we’re seeing the are changing because more or maybe during the COVID-19 period, maybe people a lot of people are working from home not actually in the offices and at that point that’s where maybe that’s why they hitting them harder. That’s why we’re seeing this increased record.
JAMES MAYNARD [00:20:49] Yeah. A lot of companies and organisations who previously didn’t have to worry about working from home and people want promote it suddenly having to deploy VPN and work remotely on much leave themselves open to it. Especially now when people seem to become a lot more adept at deploying these DDoS attacks is like a perfect combination where attackers are getting back on that target so suddenly jumping up and becoming more numerous and weaker.
STEVE LAIDLER [00:21:14] Yeah. Especially in a remote environment. You know, you’d like to hope that organisations can you can mitigate those attacks. But ultimately, the mitigation techniques that are used come with a financial burden. You know, there’s a cost to service providers or, you know, anybody who’s providing services across the Internet. They have to spend money and they have to charge their customers for to deploy the technology to protect people from DDoS attacks. So depending on how much money you’ve got, how much what you financial Cloud is, is how much technology and mitigation you can put in place. And at some point you’re gonna run out of headroom or not and not and then the DDoS then going to, you know, overwhelm. So, yeah, it’s certainly in some circumstances, you know.
DAVID TAYLOR [00:22:10] Interesting to see, probably gonna carry on increasing as we make our way through the rest of the year. So let’s move on to our fourth and final story of the week. So this is a smartwatch hack. It could send fake pill reminders to patients. This story is related to the floor that was discovered by the UK based security firm, Pen Test Partners, which basically allowed people to hack into people’s smart devices. One of the examples they’ve thought of as these smartwatches that were generally given to dementia patients, it would give them a reminder of when to take pills. This could allow hackers to remotely track where they are, but also send them notifications about taking pills as many times as possible. And sending that to someone with dementia is obviously quite dangerous. Yeah, not ideal.
STEVE LAIDLER [00:23:01] No, it’s not, is it? I mean, so suddenly these watches that you seem to be used for a number of different things. So medical, you know, versions of them are one, you know, keeping an eye on your children and that kind of stuff seems to be another. But it’s worth pointing out that the Pen Test has found this and notified the company that produces this particular technology, and they fixed it in a matter of days, 24, 48 hours, I think. So that they know it is mitigated. However, what they know there is an app associated as there often is with any technology, doesn’t end up that they go with it. And there’s no telling whether it had been downloaded 10 million times. I think there was no telling as to how whether this had been exploded. So it has been in the news. But then again, that’s not to say that it hasn’t been exploded in the wild. But really, I guess less important from that is the hack. But more importantly, the potential consequences. You know, it actually gave a notification to somebody to say, take a pill, perform some action, taking medication, especially in a vulnerable community. Then you might see that message and if it was it was prompted multiple times, you could potentially have disastrous consequences from a medication perspective. So we could that was fixed, fixed very quickly. But again, you know, as an example of IoT team and IoT team seems to be pervading more and more into people’s lives. Many in the medical field is no stranger to this. So there are IoT devices right across all sorts of different medical issues. So, you know, the positive consequences of hacking medical devices, the stakes are a lot higher. And this is definitely one of them.
DAVID TAYLOR [00:25:07] I was just going to mention that I missed out there. So obviously, Ken Munro from one of the partners of Pen Test. He said that we can make any watch reveal the position of the wearer. And we can also listen to the whereat without the knowledge and also allow them to take the medication. So I talk about the location and the notifications but am able to spy, listen to the people as well. It’s probably quite something the hackers probably want to do. Maybe not so much in the medical side of things, but anyone who’s wants to spy, that’s quite a good thing to have video I guess.
STEVE LAIDLER [00:25:49] Over to you James.
JAMES MAYNARD [00:25:54] It just shows that with IoT for every advancement you get and every opportunity, there’s more threats especially with medical equipment. So I think. So obviously, it’s just a watch what you could go well there’s insulin pumps which are now wireless connected to your phone. What risks does that pose, what risk do you have with a pacemaker that sort of thing. So I think, aside from this example, this illustrates the dangers of IoT when they’re not really checked upon how many people can test them. There’s all these sorts of risks.
STEVE LAIDLER [00:26:23] And all of this technology as well sometimes gets pushed out. You know, it’s on a time scale to develop it, get it out there in the marketplace. Is it being you know, is it taking more like a, you know, secure by design kind of approach? And the other thing is. Well, it’s obviously some of it’s from the dual perspective, you know, these watches are designed to alert or trigger alerts off to somebody who, you know, if they stray outside of a geo-located zone. So maybe that’s abuse to somebody knowing where people are potentially outside of your house, not necessarily in these circumstances, but maybe in other areas where this, you know, this technology could be used, you know, making sure that somebody is not present on their premise for for for criminal activity or something like that, I don’t know. But also, as you said, the listening side of things, how would you get out of that? I guess it’s like any listening in. You might get some information are, is a value as of use, but there’s probably gonna be plenty of information that isn’t? Well, I guess so, yeah. But again, it’s another vulnerability that could be exploited for some gain.
DAVID TAYLOR [00:27:39] Definitely. I think it’s glad that they fixed it quite quickly. But they made a good point about it being 10 million app downloads. And, you know, how long has it been exploited been known by hackers. But how long it been useful. So fingers crossed it wasn’t too many. That’s all we’ve got time for today guys. James, thanks for coming on. Steve, as always, clearly insightful information. So if everyone else. Thanks for joining us both Secure with Celerity and join us next week for more security cyber stories.