Secure With Celerity Episode 12
DAVID TAYLOR [00:00:16] Hello and welcome to Secure with Celerity. The show where we try to digest the week’s top cybersecurity news stories into about 30 minutes or so. I’m joined today by a couple of cybersecurity experts. We’ve got Joshua Read and Steve Laidler. How’s it going, guys?
STEVE LAIDLER [00:00:30] Hello there. Are you alright, David?
DAVID TAYLOR [00:00:31] Are you ready to chat some security? Well, I think the one story we had to cover this week because it’s all over the news is the fact that Twitter was hacked and more specifically, some high profile accounts were hacked. Posted some messages about a bitcoin scam.
JOSHUA READ [00:00:51] Yes. This is a really odd one, I actually called one of the tweets. Elon Musk’s tweets on. I got a notification every time Elon Musk tweets just because I like Elon Musk. And I read it and I was like, there’s something not write here. Why would Elon Musk be, I’ll show examples of the tweets now. They were quite obviously, they’re not really that any of those would go out and tweet Sir Bill Gates there. So everyone is asking me to give back. And now is the time. I’m doubling all payments since my bitcoin address. For the next 30 minutes, you send me 11000. I send you back 2,000 and then a Bitcoin address. And I find it very odd Elon Musk much of the same as to what Bill Gates was tweeting about. Well, there was a long list of high profile celebrities and some of the ones that were documented in one of the articles I went through and calculate their cumulative following as a group that reached 299,328,300 followers. Which is a very large proportion of the world’s population. And if I’m honest, I find it quite astounding how they’ve chosen to use this bitcoin cryptocurrency method as their attack. Usually if you get hold of. Well, if you got hold of some of the biggest followings. Well, biggest Twitter accounts in the world at many. Barack Obama, Bill Gates, Joe Biden, Elon Musk and Michael Bloomberg, Kanye West, Wiz Khalifa. Yeah, some massive names in there. And if you got hold of those Twitter accounts, my first thought wouldn’t be to, oh, yeah, I’m going to post my Bitcoin address and get people to send me some Bitcoin, and I’ll say that I’ll double whatever they send me. I find it quite absurd, you know. I think what more concerning here is the factor how under the radar it went and all of a sudden these tweets started appearing and then Twitter all hand to guns, there were being quite open about this. I’ve been following the Twitter support handled for quite a while. And there’s a lot of the keeping everyone in in the loop, as it were, around what’s happening and what they’re doing. But I think, yeah, as I said before, that the main concern here is the power and the potential power that the cyber attack has could have had. And if they breached, well, if they’d use those accounts more responsibly, to put it into context. If Donald Trump’s account was breached, it was a massive breach in this and probably lucky because I think Donald Trump’s one of the most powerful tweeters on the planet at the moment is tweets seem to get upset everywhere. And it seems to be our mission to avoid anything that he tweets, unfortunately. So yet if they manage to breach the likes of Donald Trump’s account, the damage that they could inflict on not only Twitter users, but whole cultures and also the whole societies around the world that they hold and they have a great following on Twitter. If they said spoke out and said something about the Black Lives Matter movement, that would have sparked a whole new protests in the US, that would have been an immensely powerful if that spoke out and spread information around Covid-19, again, that would have been incredibly powerful. And I’m surprised I think some of them did relate to COVID-19. I think one of them said that I’m giving back to the community due to COVID-19. That was from Barack Obama. And there was a few of the ones that were relatively template to tweets and copy and pasted into the tweet window.
STEVE LAIDLER [00:05:24] Yes, it’s interesting like you said, it’s slighted that the fact that it’s been used as a platform to gather some money quick, very quickly, had to be very quick about it, because, you know, that Twitter would have been you know, the response to this would have been fairly rapid and it was. So they don’t have a very limited time to actually execute that plan. But like you say, it’s interesting, the people that chose to do this versus the people that they could have chosen but didn’t make you wonder whether there’s potentially any of the damage that they’ve been doing, how long they were persistent in the system or whether, you know, whether they felt time was running out. And they only recently gained access to Twitter’s environment and the implications that the indications are that this was using Twitter’s own tools, an admin privileges. So they’ve got into Twitter and then use their own tools to execute this hack. Well, then, you know, the fact that they haven’t to use particular individuals comes who may have been, you know, at greater influence on society or people who might have then contributed whatever Bitcoin. Maybe it’s maybe the following of the people that they picked they felt were more inclined to have Bitcoin accounts. Maybe that was the reason, given the damage they could have done by you, by tweeting actual information rather than a Bitcoin come through that comes could have been considerable or could be started to depend on which account you picked it could destabilise a nation.
JOSHUA READ [00:07:06] Yeah. We were talking about before we came on air and he’s saying, you know, that you could potentially start World War three if you had Donald Trump’s Twitter handle and you could pull it. You know, you could run. You could, you know, come out called people out on Twitter, you know. You know, North Korea, what you do in your own home fires. It could have it could you know, it could spark diplomatic relations and them. Yeah. And that’s the power of Twitter. And that’s why I don’t agree with politics on Twitter and I don’t agree with the likes of Donald Trump tweeting. I think it’s a recipe for disaster. I don’t really agree with social media at all. My mind is, I think it’s like anything an advertisement harvesting platform and it’s just tripe. If I’m honest.
STEVE LAIDLER [00:08:02] But again, it’s like anything, isn’t it? It’s a platform to put words on and words have got power. You know, that was, I would say, how we say it can be interpreted or misinterpreted by anybody. You know, it’s all subjective. But again, in the days that have passed, articles out and, you know and all the pieces in the newspapers. This is not the new way of getting your point across. People disagree and agree with them. You see that just on any tweet that comes out. But you agree with powerful people who have little political influence or any kind of influence. You can affect people’s lives by simple words anybody would read.
DAVID TAYLOR [00:08:46] If you get it screenshot. So even if you deleted there’s someone who’s seen it live, takes a screenshot. They treat it or write it on a blog. It’s on the Internet forever. So it’s them, you know, if you know anything you say on paper and say out loud.
STEVE LAIDLER [00:08:58] But don’t say on Twitter.
JOSHUA READ [00:09:02] So I think more interesting with this is if you look at Apple. If anyone who’s watching. If you go and look at Apple’s Twitter right now, they are following zero people because example, they got zero tweets. They got zero tweets and replies. They haven’t put any media up and they also have no likes. So they’re basically a dormant account. They have nothing. And maybe Twitter isn’t their primary advertising platform, but it will be a significant platform for them to push their advertisements, engage with their audience and their customers. And essentially, if they haven’t got that platform, because it was a repercussion as to what’s happened over the past few days, that is massive for them. You know, they are coming to Twitter support and a statement on their platform that they released on Wednesday night, Thursday morning sorry. We’ve also been taking aggressive steps to secure our systems while our investigations are ongoing. We’re still in the process of assessing longer term steps that we need may need to take. And we’ll share details as soon as we can. For all accounts, a download in your Twitter data is still disabled. While we continue our investigation based on what we know now, we believe approximately 130 accounts were targeted by the attackers in some way as part of the incident. For a small subset of the accounts the attackers were able to control, take control of the accounts and send tweets from those accounts. Out of abundance of caution, as part of our instant response yesterday to protect our people security, we took the steps to lock down any accounts that changed that password to in the past 30 days. So if you change your password over the last 30 days, I would expect, you know, your account to show some weird activity in terms of not be able to tweet or engage with posts. It’s quite a…
STEVE LAIDLER [00:11:11] They’ve done it for security, the other interesting thing was there was a discussion about whether Twitter was now almost critical national infrastructure because I thought a lot of services, important services also tweet. I think there was that National Hurricane Centre, as you know in the US. So a lot of like actual, you know, legitimate reasons that the tweets go out to protect and save lives. I’ll give you more important information. You know, if Twitter is compromised in some way, I suppose you could argue it’s more important than Facebook in terms of its what it’s doing. If it goes down, it could impact people’s ability to get, you know, good information about important topics.
JOSHUA READ [00:11:55] It’s massive. Absolutely massive. I’m gonna be watching this over the weekend and well, I’m excited. I’ll be interested to see what happens as regards and everything.
DAVID TAYLOR [00:12:09] All right, guys, let’s move on to the second story of the week. So This is the story that records of 45 million plus travellers to Thailand and Malaysia have surface in the dark web. And so I think it was sible researchers that found this after doing deep web monitoring and activity that they go to the dodgy dark web and look at the dark marketplaces for people boasting about selling a different kind of records.
JOSHUA READ [00:12:36] Yeah, the experts at sible discovered it when they were doing scours of the dark web. Big companies out there that basically just have web scripting tools goes through and sift through repositories that are on the Internet and they’re publicly available, see what information they can get. And they found 45 million travellers to Thailand, Malaysia from multiple countries. And that they asset that was found included passenger I.D. That’s maybe not useful, but it is unique to the customer. Full names, obviously, that’s important. Mobile numbers, passport details, addresses, gender and flight details. Now. This one is quite interesting. There’s not really been much more detail around this one as to where it was sourced from. Obviously it is on the dark web. It’s obviously been accumulated and built up over numerous breaches, probably in those Southeast Asian countries. Everyone understands that the standards of information security are maybe not this, well, mature and developed in those Southeast Asian countries as they are to the likes of Europe and the US. I think where Europe is definitely a leader in in the world for information security is GDPR law. The US is up there as well with its many different regulations and security authority buddys. But, you know, these Southeast Asian countries that you know of the economic status of the likes of the UK, Europe, and the US, that, you know, that they don’t offer essentially the same cleanliness of the day. So it could have come from unsecured databases. It could have come from breaches of travel companies in those countries. There isn’t a lot of information in terms of that. But as soon as the research team identified the link that was instantly acquired and analyzed by that threat team. And I believe now everyone, while all the data has been indexed and provided to my breached outcome. So if anyone’s concerned that the data has been breached, that can go in my breach.com and have a look. See if the information on that name is on that website and you know, a lot of times with this information that doesn’t give a source because essentially cyber attacks don’t care where you got the information from. They just they just care about the, you know, the. Whether it is useful or not. You know, if you have a data set of email addresses, usernames, passwords, you know, to a cyber attacker, they won’t give anything. You know, they won’t be bothered about where you got it from. They won’t be bothered if you get it from a government server, or… The value is in the what the data is and if it’s usernames and passwords is invaluable, almost.
STEVE LAIDLER [00:16:02] But this one it was one interesting thing that stood out was being what usage said this information. I guess there are there is some use for it. You know, frequent flyers and people who are travelling to outside of the country, you know, maybe there are patterns in it. You know, and so if you have somebody’s address and you know who they are, where they live, and there is a pattern because they fly out on a regular basis on a predictable pattern, then it often leaves various assets that they have, you know, unattended, whether that’s, you know, business assets or personal assets or houses, et cetera, that are not, you know, potentially may be vulnerable. How that helps a cyber attacker. Maybe it’s more of a criminal kind of, you know, organization that might take advantage of that. But it’s still useful information. I think it’s potentially using phishing campaigns, et cetera, because it then gives context to somebodies daily life and what they’re up to him to then form yet, you know, attack somebody front for it, use in particular, maybe low-cost flights or something like that to Malaysia or whatever that is. Put it then it then allows context to where a social engineering attack so that there are different avenues that could potentially be used.
JOSHUA READ [00:17:24] Yeah there’s a lot of stuff that could be used for the likes of more about number could be used in mission attacks, SMS Fishing could also be used as part of fraud, passport details. Again, it could be fake passports can be sold based off the information, depending on what information was leaked, if it was unique, passport ID, the passport pictures included and that sort of example. If it was asked if it was literally a picture of the passport, it could quite easily be mimicked and sold on the dark web, as, you know, identity fraud. And that, again, could generate more revenue for the cyber attacker. There’s limitless bounds with this information. You know, the flight details, again, as you said. Well, Steve, you can now maybe do some analysis on the data to see if any worthwhile patterns looking seem any worthwhile figures that you can track and work out whether they’re going to be follow any routine? Anything really.
STEVE LAIDLER [00:18:34] Exactly. And you know there’s sort of the uses of the data. You know, that’s pretty scary. And you can’t simply, you know, especially 45 million records that considerable stash.
DAVID TAYLOR [00:18:47] I reckon a big chunk of that is just going to be students going on gap years. I should probably check that. I’m probably out there somewhere. But yeah, anyone who thinks they’ve been in this country might be affected. It is amibreach.com? Is that right?
JOSHUA READ [00:19:02] Yeah.
DAVID TAYLOR [00:19:04] Cool. Check it out. Swiftly moving on to our next story. So this is the discovery of a 17 year old critical vulnerable RAC vulnerability and it seems to be impacted. Windows, DNS servers. Yeah, it’s called SIGRed.
JOSHUA READ [00:19:21] It is actually a really cool name put out there straight away. They does actually have meaning to what the vulnerability is. So SIG, S-I-G, relates to the fact that it’s the signature element of DNS servers which is vulnerable. And I didn’t actually work out what red walls but SIGRed is still a cool name. Essentially it’s a remote Codex vulnerability that could potentially allow an authenticated remote attacker to gain domain administrator privileges over target servers and sees if ultimately complete control of an organisation’s I.T. structure. And if that is enough warning signs, then the CBSS score is also warning sign because that’s very high tech, which I think goes through vulnerability by sending the likes of crafted malicious DNS queries to your Windows DNS server. And that in turn would allow them to achieve arbitrary code execution and could enable a hacker to intercept to manipulate users email and network traffic. If you want a control over DNS server, you know you can basically recovered over an organization. You know, the DNS you to have and organizations the domain name and services it’s the how of how your systems communicate with each other. Essentially, it’s how they get the naming conversions. It’s how theyzbasically exist in an organisation so you can take control over it. It was actually Checkpoint research who found it, and then they responsibly disclosed it to Microsoft. Which is good. And they match up to produce the patch which are put in their July Roll-Up bundle. There is a patch available in this month’s Microsoft patches. So I would patch. In recent any in the world, examples of it being attacked. Exploit. Sorry. But, it is only a matter of time. There is quite an in-depth proof of concept video released by Checkpoint Research. And they demonstrate how it can be attacked, how you can exploit it. I watched it is very short. It’s again, very easy to exploit. And I said, well, essentially they don’t think anything vulnerable and even I’ve been in this wearable is always going to raise eyebrows of any sysadmins. I think everyone’s got PTSD after WannaCry and its worm capabilities of it being able to spread laterally throughout the organization. It’s, you know, essentially that the problem element here with this renewability is the signatures within DNS and the name SIGRed said before.You know, you can have a demand service attached to that demand. This renewability allows you to craft a payload into the secure signature element of DNS. And if it’s large enough, odly Microsoft thinks that it’s executable. So, again, it allows them to execute the code as DNSs. It’s usually the centralized point of an organisation. You know, everything connects to it. And that’s where the wormable capability comes from.
STEVE LAIDLER [00:23:28] And they specified as a high severity with a high chance of exploit. You know, I think, you know, it hasn’t been exploited. But given the fact that they exploit videos and they exploit it so short, then it’s not a particularly difficult one. So I think that, again, its usual recommendation of make sure you patched and especially like Josh says, if it’s been released in July, it will be in this month’s patches. So, you know, pretty much get it on there.
JOSHUA READ [00:24:03] I mean, if you’ve got an there’s interest in technical detail, if anyone is what she’s got, interesting technical detail, literally Google SIGred, click on videos and there are videos and how to basically exploit it. Obviously not shown any tactical detail have left the code out so that it can be replicated, but it won’t take someone very long to understand how it is, turn it on something and how it’s built. As always, with these primitive concepts, it’s good that they’re showing proof of concept, but then there’s also bad sides with it. Obviously, people understand the process flow of how to exploit it will then reverse engineer how to exploit it. Understand why it’s targeted and where its targeting what elements they need to include in their weaponization of the vunerability. Well, yeah, my advice. Just patch it. It’s a lot. It’s got a lot of attention and it’s getting a lot of attention at the moment, especially in the cybersecurity world and the news because of its abilities. Obviously, when these concepts are released, they literally scratch the surface with a lot of this. And then that’s when the hacker groups then stop building scenarios and concepts further and then work out, you know, how can this web be weaponized and what is the impact of weaponized. So, yes, I would patch very, very quickly. Well, yeah, enough of us, as we said before, that that is part of July’s 2020 patch bundle, which is coincidentally our next story and another in another month with over a hundred patches. And that was across there in products. Obviously, as I said before, SIGred is part of this bundle. And there’s a lot of patches, again, throughout this whole band experience. I have compliment Zoom, the likes of Microsoft and commended them for their agileness in bringing out patches to zero different abilities and responsibly disclosed renewability. Well, you know, essentially that I think this is gonna be the new norm. And fortunately, the volume of patches that have been released. Yeah. You know, it’s. I think it’s just going to become the new norm. I think users can be in our system, our brains can be used for this number of fixes that have been released on a monthly basis. But, I mean, I was curious. So I did some research on the graph. On the screen is the number of inabilities documented by the National Vulnerability Database on an annual basis. So, as you say, we’re going back to although it’s 2010 is roughly just under 5000 vulnerabilities. And it’s, you know, the price is right. And then all of a sudden you had 2017 and its rockets off. Coincidentally, that was the same year of WannaCry, The Eternal Blue exploit, WikiLeaks. All about where cybersecurity really came to the forefront of everyone’s worries and minds. And ever since then again is continued to grow. Now 2020, the first six months. There was just over 10,000 vulnerabilities released from January to June. Obviously, we’re halfway through the year. So we can’t work out how many vulnerabilities there are in 2020 but so far. If we talk, you know, take the first six months and times it by to say it’s not an accurate but projection. So we’re looking, you know, roughly around10,552 vulnerabilities for the, you know, across the whole of 2020. And if you put that into context, that, you know of that 20,000 vulnerabilities, Microsoft will hold a very small portion of the proportion of those robust vulnerabilities. There is a whole load of other different vulnerability categories. You know, there’ll be a will be there’ll be specific softwares like Chrome, Firefox, they’ll all get CBE numbers. And these essentially what they are is, you know, if you’re vulnerability is documented it given a CVE identifier, which is CVE the year it was given the CVE number, and then an identifiable code, which is the last four digits of the CBE number or again, moving across. We look at the average number of visibility’s found per month across the last 10 years, courtesy of the National Vulnerability Database. This took quite a while to visualize, actually. Well, if we look at that per month, usually then the March, April, May usually very, very busy. Coincidentally, the highest is they usually drops off at around late summer, but then picks back up in October and then drops off around the holiday season. So it’s usually a steady flow. There’s no peak months, really. They’re all roughly around the same. Obviously, the standouts when they say May and October, they’re very popular in terms of more on the downside of vulnerabilities. Well, I think the main standout for me is at this one right here, which was May 2017. Obviously our scale of liabilities announced there. Well, I’d say the three lines here are only the last 2019, 2018,and 2017. So the volume of variabilities is miles larger than what it was and over the previous years, obviously by 2014, around September and October was quite a few then. But that was an anomaly. But, you know, I think it’s an accumulative, different way of looking at things. You know, that vulnerability is the change, the way that they categorize them. You know, there’s most acute research is now the small platforms that are being covered with, you know, that have been identified as key platforms so they get in vulnerability numbers.
STEVE LAIDLER [00:30:43] The report is better across everything.
JOSHUA READ [00:30:46] Yeah, it does. So much more visibility now. And essentially, it’s not a healthy forecast. Well, you know, it’s probably good that we find all these vulnerabilities we’re going to have to do. It’s just going to be the new norm. The volume of vulnerability is found, the volume of patches that are released. It’s just going to open up and open. It will just continue because as more people digest information, you know, information security is gonna be the command more apparent and more and more needed. So, yeah, that’s.
DAVID TAYLOR [00:31:20] What’s the you know, what’s the repercussions of this horrible happening? So I.T. departments obvioulsy vulnerability’s the numbers, a founder going up I.T. departments and organizations to hire more people to do it? Or is it a case of they just they’re just doing their best to stretch?
STEVE LAIDLER [00:31:38] I guess potentially. I mean, I remember that the pool of software is ever increasing. So there’s more and more software being developed, more and more firmware. You know, software pervades everything across just about all devices and systems and everything that, you know, it’s everywhere. So there are always going to be bugs in software. Nobody ever well we’ve written this amazing piece of code with no bugs in it at all. Especially when you talk an enterprise plus software that is very large and high and requires multiple teams and, you know, to integrate and get as a piece of software up and running. There they’re always going to be problems, bugs, introduced that are then fixed that introduce more bugs. You know, we’ve been talking about patching for the last 20 years. It’s never gone away. It’s just it’s always been there. It’s still gonna be over in the next 20 years. Just because of the way, you know, the way it is.
JOSHUA READ [00:32:33] It’s is hard for organizations as well because, you know, every organization you go to, there will be shadow security setups. There will be, you know, people who just ignore all the policies and install, you know, oh, you’re not allowed Google Chrome on your laptop. Okay, I’ll just go. And then they’ll find a way of turning it into their PC, managing to get it on some way or another way, find USB are essentially organizations. Not every organization is an asset, you know, an asset dictionary of assets, software that is installed. Now I have one of the software asset management tool and it’s you know, there’s massive problems. So knowing what you need to patch without a vulnerability scanner without a professional is incredibly hard because, you know, yeah, we’ve got this one and there’s a 130 fix is this month. How many of them do I actually need to apply to my systems if I don’t have an automatic model system that does it for me. So it’s difficult. They always will be.
DAVID TAYLOR [00:33:45] Always. Well, I think I’m just gonna predict that next month that’s going to be at least a hundred patches in Microsoft’s. All right guys, well, I think that’s all we’ve got time for today. We crept a little bit over the 30-minute mark, but I’m sure we’ll be forgiven for that. So thanks again for your time and your advice on that, guys, and for our viewers at home, thanks for watching us. Join us next week for more top cybersecurity news stories. See you then.