Secure With Celerity Episode 15
DAVID TAYLOR [00:00:59] Hello and welcome to another glorious episode of Secured with Celerity. My name is David Taylor and I’m your host for today’s weekly cyber security news show. I’m joined, as I have it, with my cybersecurity friend Joshua Read, who is our Lead Cyber Security expert at Celerity. How’s it going Josh?
JOSHUA READ [00:01:15] How you doin’?
DAVID TAYLOR [00:01:18] Not too bad. Ready to jump in some cyber security news stories. So first off the cut, I think we can’t avoid at fictional on the 17 year mastermind and two of those the biggest Twitte hack ever have been arrested. The story comes out that the three of them, the 19 year old from… places in the UK. 22 year old and a 17 year old from Florida in America with a 17 year old at a being the ringleader, the youngest, Bin Laden.
JOSHUA READ [00:01:53] Well, I follow, I think, after The New York Times news coverage story of this, and they said that they managed to obtain information around how those three young perpetrators of the hack. No one really thought of it anymore. They just thought it was, you know. News outlets trying to make news, but that apparently, you know, attorney’s office have received a complaint processing charges against these three individuals. So little before we delve in a little recap so that more and more information is being released as the weeks have gone on for the Twitter breach. So essentially, three hackers socially engineered their way into Twitter using phishing and spearphishing concepts. It was revealed that some of the employees were targeted using spearphshing attacks through a phone, misleading the employees to give away credentials once they were in to Twitter. They managed to get access to some Twitter god-like government tools, which allowed them to hijack the tweet feeds of the likes of Donald Trump wasn’t actually surprising. There was Joe Biden, Barack Obama, Kenya West, Kim Kardahian the whole load of people that were, you know, had that tweet feeds hijacked by these three people, perpetrator and the usual, the tweets that were posted on those feeds were went along the lines of I’m doubling Bitcoin donations to this Bitcoin address. In the next 30 minutes, you sent me a thousand, I’ll send you two thousand back. And you know, those 45 high profile Twitter accounts that were breached and those were the ones that had that the tweet sent out on their profiles. 36 accounts had a direct message. Inboxes says accessed and accounts had information downloaded around your Twitter archive to which is basically an activity log of what? Well, not users don’t run on their Twitter account. So the US attorney’s office said that, you know, send in a statement that today’s charging announcement demonstrates that the alleged nefarious hacking into a secure environment for full of profit will be short lived. Criminal conduct over the Internet may feels stealthy to the people who perpetrate it, but there is nothing stealthy about it. In particular, I want to say to those who would those would be offenders, right? The law and we will find you. It’s a very, dare I say American response to it? And it’s no different, expect nothing. Nothing. Nothing different, really. The since the charging has been announced by the attorneys office. They Twitter have come out and said that they have significant limited access to the internal tools and systems, which I think is the right way of going about it. Obviously, that said, that support time and response time to support others, support related tickets and stuff that will be reduced because they don’t have these godlike cutting tools anymore. But really, if it’s fixing the problem, you know, realistically. It’s not the skill of the hackers that was the problem here, because it was a very low skilled attack. It was fiction. You know what the problem element here was, is the fact that Twitter had these upcoming tools that were readily available to such a low level account. Privilege wise. It’s you know, I think in total, the fraud scheme that they used reaped in over a hundred thousand dollars in Bitcoin from several victims. So, you know, it can be viewed as a win. In my eyes, it looks more of a hobbyist for fun type of movement. There was no you know, there’s no political agendas. There was no rarely. One hundred thousand dollars is is a good sum of money. But in terms of cyber attacks, that’s minimal. The information that the we percieved, retrieved is minimal as well, that they’re not really retaped any information that could be held to ransom against the company or anything like that? It almost does seem like a hobbyist mentality to all that.
DAVID TAYLOR [00:06:56] I said that we said that before like when someone managed to hack into Twitter, but then all they did was put up this, you know, obviously a scam gone up. I think a lot of people would look and go, I’m not going to pay that money and you don’t me. So I think when it actually has come out again, if it was, you know, was actually legit, it wasn’t someone trying to do any of the things like offside, maybe nation state attackers or whatever. And it was, I guess, came as a surprise that maybe the ages maybe shows that maybe that’s why it was the media. It wasn’t like a super malicious. Obviously, money laundering and fraud is malicious, and yet I’m not doing anything spectacular with their access.
JOSHUA READ [00:07:41] No. It goes to show as well, you know, the age of these attackers. It may come as a surprise to people, but it doesn’t come as a surprise to me. A lot of times I think the media don’t help media portray a hacker as a hooded figure in a dark room with brightly colored keyboard. You know, white bread or operational, oh you know, white male. That is just a stereotypical view of an attack. It doesn’t matter, there’s this gender’s of both genders. Undertake there’s all ages, all ethnicities. There’s no stereotypical view of an attacker. It could be anyone in plain sight. And that’s what dangerous people like to view and see someone as a hacker. If, you know, what I mean, they want to put a name to a face. They want to see something physical as the blame for it. I think that’s always how it has been. The ringleader, the third defendant, which is the juvenile, is a person information wasn’t released because he’s a juvenile. And it’s is part of state law. But the WFLA news organisation in Florida identified the perpetrator as a 17 year old, Graham Clark from Tampa Bay. So, you know, it is what it is. The broad range of locations as well. I mean, Mission Shepherd from all places, Bognor Regis .
DAVID TAYLOR [00:09:23] Cyber security capital of the UK now.
JOSHUA READ [00:09:27] A name for Zelie and Graham Clark from areas of Tumba. Well, Tampa Bay and Florida, which are both instead of Florida. So, you know, there are the two reports are available on the district to San Francisco district. District attorney website. And they are related reads. They have all high level. They have the evidence that they’re putting forward to the call. As you know, this is why we blaiming these three people. And there was you know, there was in the two complaint reports, there was detailed conversations between the three of them and also some pretty conclusive evidence as well. Based off IP location, Bitcoin addresses. It’s a riveting read. It really is. It’s quite interesting to see the process that they go through from a legal point of view. You see, I definitely consider I’ve given it a read and saying what went through? You know, I followed a process of them using blockchain, trying to trace Bitcoin transactions, which then retrieved conversations from between the three of them via a Kick and Discord chat. You know, they weren’t using secret underground conversation tools. And so they were using Discord, which is a popular amongst scammers. Kik, which was a popular chat messaging service alongside WhatsApp couple of years ago. And, you know, it’s fairly, very low standard quality wise, a cyber attack, but it’s being, if not the most impactful one on a social media platform today. And, you know, it just shows that overlook in some small elements, i.e., phishing can have such a high impact breach of information and also impact on the company’s reputation as well. Just because this is a perfect example of the impact of phishing and how rewarding it can be for any cyber attacker.
DAVID TAYLOR [00:11:39] It is crazy. I mean, we do this as a weekly show how many times we talk about phishing trends in it or, you know, the number of cyber attacks and successful cyber attacks that are actually stolen efficient. The thing is it’s not some number long lines with 90% of cyber attacks like some form of social engineering involved? So it obviously at this point and something so simple to get to someone like Twitter, which is a huge multi-national online company. This is crazy, right? We’ve cracked on that and that’s a little bit less. Let’s move on to our next story. So this is that there was an Apple touch I.D. flaw. It could have left attackers hijack a iCloud account. So I was reading on this one a lot and it’s gone over my head so I can leave it up to you to explain what actually the flaw detail.
JOSHUA READ [00:12:28] Well, I say a lot of it’s kind…because I’m not an Apple user. I don’t have any products because I just don’t like Apple products. Apple earlier this year, fixed escape, even a built in iOS and Mac OS so full both platforms that could have potentially allowed an attack it’s again, unauthorised access to a user’s iCloud account. Now, this is quite a high profile one because many of you out there will be aware that there have been numerous breaches of iCloud accounts that have resulted in celebrities having their pictures, their messages, their emails breached some quite high profile in some high profile breaches. So this was uncovered in February of this year. I apologize with the pronunciation with this. The geist app appramanded and a security specialist at IT security term, company test. And essentially the flaw resides in the Apple’s implementation of touch I.D., which is the biometric authentication solution. You know, all Apple devices and, you know, the central premise of the flaw is that when a user tries to sign into a website which using the touch I.D. element of authentication, it you know, it basically you can steal the auth token from that uthentication and then copy paste that into the source code of the Apple that iCloud website and post it to the authentication server. The authentication server basically. Well, then the diagram on the screen right now in the bottom right of the right side of the screen, that is the website. So you’ve got the website. All I’ve done is press F12 and come inspect element in there, he’s got the address for the authentication server in Apple. And then the left side of the screen on the bottom left is what the victim would say. So that’s it. That’s someone’s iPhone. They’ve signed into a public Wi-Fi. They’ve used to try data to set it up. And the top left is the Python is basically using Python to steal the grand code, which is the element which is required by the Apple authentication server to let you through on to wherever you want to go on to. Now, if all they’re doing is capturing and relaying of the grand code to the Apple authentication server, but on a completely different device and is letting them through onto the iCloud website without a username, a password, essentially. And that is a massive, massive flaw, because if you like I said, if you set up like a Witherspoon’s Wi-Fi, you know, people are like free Wi-Fi when they’re out and about because they don’t want to use their data. There’s just gonna connect to this unknown hotspot or public Wi-Fi. And if it prompts you for an Apple I.D., sign in. It’s easy just to provide your fingerprint that will then go off. And then someone can, in a sense that authentication as it’s going out to the Apple server and obtain and basically relay that and steal the grand code and then use that grand code to access the iCloud account of that user. So as far as I can see it, it’s genuine because all they’ve done is they’ve received their server received a request for authentication from a device and they provided. Yes, you can access but it’s been that, you know, the grand code has been intercepted on its way back and copied and pasted. The user isn’t aware, the Apple isn’t aware, and then the hackers basically sitting in the middle laughing and taking every once. It was quite quite a worrying vulnerability sspecially for someone, well, an industry leader like Apple who thought they would have had more of a biometric security. I think it goes to show that biometric security isn’t quite as secure as people think. There’s been a lot of concepts around, you know, whether people drawing faces on a piece of paper and then holding on to face I.D. and tricking the face ID into thinking that it actually is the user of that phone. This fingerprint biometric trick in that you can do.
DAVID TAYLOR [00:17:32] Do you think it’s been exploited in the past. Like, you know, you mentioned about some celebrities have their personal photos and the messages hacked from the iCloud accounts. Do you think that was maybe the way they got in or.
JOSHUA READ [00:17:43] It’s difficult to say usually with those. Well, I think for the most part, those ones were phishing emails. There isn’t a merge obtain the credentials, log in to their Apple I.D.. With these ones that as always, with these concepts. It’s very, very specific. So you’re gonna have to be honest and network and steal the authentication token. It’s quite specific. Now, it’s been patched already by changing the server configuration at Apple’s end, and so users won’t have to do anything. But, you know, it’s still it’s still worrying that, you know, these these vulnerabilities, there’ll be vulnerabilities in the device I’m holding right now. You know, an Android phone book, they haven’t been discovered yet. And that’s what the element is here. Until a vulnerability is found and documented and told to the vendor, it’s not really a vulnerability because of, you know, even in zero the attacks where cyber attackers work out ultimate something vulnerable and then the vendor rushes around trying to fix it. That’s a vulnerability but for the most part, it was responsibly disclosed. There wasn’t very much information around this open till this last week. So it’s difficult to say with everything that could have been very acute cases of it being exloited. but there’s no evidence that it is widespread being used as it was widespread to use in cyber attacks. It is always difficult to understand, especially with vulnerabilities.
DAVID TAYLOR [00:19:25] So moral of the story is that you need to just have to take a data plan and just avoid using public Wi-Fi.
JOSHUA READ [00:19:32] The moral of the story is, is that it’s not biometrics, the weakness, it’s the security around the biometrics, which is the weakness. And that it’s merging state of the art technology and biometrics with old technology that’s been around for 10, 15 years. It’s you know, it’s the merging of those two technologies, which is the weaknesses, because in this element. It was the website source code which was allowing you to post a grand token. And there was also this server configuration, not checking what device was actually requesting. And, you know, simple things like, you know, if two devices have posted the same grand code in a short period time, then you need to investigate, because essentially people you know are stealing grand codes. So the moral the story is Apple needs to be more technical with their code.
DAVID TAYLOR [00:20:33] Well, hopefully there’s some employees from Apple watching this show. Right. We would swiftly try our next story. UberEats data leaked has been found on the dark web. Now, this isn’t a mega mega data leak, is it? It’s not even the millions. Not even in the thousands. And it was leaked files included log in credentials of 579 UberEats customers and details of 150 drivers with not much else information provided.
JOSHUA READ [00:21:04] Yeah. It is not a massive one in the run of things. I mean, we’re we’re looking at a company that has over 70 million customers in the run of things, you know, 90 txt files, depends what’s in those txt files. 579 logging credentials, it’s a very small proportion of the whole user base. It’s again, 100 delivery drivers still have thousands upon thousands of delivery drivers. So it is quite a low, low level breach. But I think more interestingly is where does this information come from? You know, where they might obtain this these collection of credentials, delivery drivers, text files from it could be that it was, you know, quite often late there’ll be several different phishing campaigns that are all sort of integrate it and relate to each other, both from a victim point of view. They all seem like a separate phishing campaigns. Now. If you collect a load of data from that, you might get another five from each campaign. But they you collect that into a database. You got 35 credentials, potentially unique credentials that from seven different campaigns. So it could have been not. Now, it was discovered by sible research team. Scanning the dark web script, the dark web for information and they managed to find this information. But really, it’s a small scale attacking in terms of it. Well, I would suggest, especially with these types of things, is all you can do is just go on. Have I’ve been pond? And type in your email address that you signed up for. Make sure that your not listed on anything, and if you are listed on anything, make sure that you change your password. It’s simple as that breaches happen. To avoid a breach on any email account is a full time job. At this moment in time and yeah, there is hundreds of companies, large companies, medium, small, that have data breaches. So it’s important to basically.
DAVID TAYLOR [00:23:29] I guess. Well, yeah, you heard it from Joshua. If you are worried that you’ve been breached. Get yourself on how important it will tell you if you’ve been breached. I think I was breached in a LinkedIn one. Alright, on to our final story. We’ve got this is one that’s quite close to our hearts, I think. Josh, we were talking about it quite a bit before we came on here. And this is the story of punishing cyber security errors found to be counterfeit. Is that is that some from a surprise that? Not a hundred percent sure. So this was a new study done by Sive Safe in which they found that 42% of organisations take disciplinary action against employees who have made cyber security errors, a.k.a. opened up a phishing email, which they shouldn’t have clicked on legs filled in details. And it’s quite a so it just carried on to what else wasn’t found in the research? It was that. It includes the flight naming and shaming, 15% of employees did that, decreasing access privileges that exempt organisations set up and locking at computers until appropriate training has been completed at 17% of organisations surveyed and additionally, 63% of the organisations will inform the employees line manager at when cyber mistakes are made. What are your thoughts on this Josh?
JOSHUA READ [00:24:51] It’s very difficult. The results of any exam, whether it be for certification or any test, really efficient simulation. An exam in your induction phase. That should always be kept confidential at the highest means because, you know, it’s essentially that if you have the ability to embarrass an employee. Now, embarrassing employees is obviously not encouraged because it’s well, it’s the reverse of what you are trying to do, efficient simulations and efficient simulations. You’re trying to encourage users to act in a way that is both sensible and desirable from an organisational point of view. Now, if you’re naming and shaming employees, for clicking links and submit it, and it’s just gonna sense of resentment in your organisation. And in a way, it actually just does the opposite of what you are trying to do, because all you are doing is angering your user base and essentially raising the risk of insider threats, because more users are going to be like, oh, well, you know, the Shamsky Territorials, let’s put this link and I don’t like that I’m struggling I’m gonna click the link. And that’s the mentality they instills . Now I was shocked at the number of number of organisations that were naming and shaming that employees is possibly the single worst thing you could possibly do and most impactful to in terms of your employee morale, your productivity rates. It’s a happens. Sometimes information gets leaked out of gossip. Coffee room gossip, stuff like that. But if you’re doing it on a repeated basis, month after month after month, it can really, really, really hurt people. And it can also really affect productivity, because then they get into a sense of, oh, no, every email, sufficient e-mail, and I’m going to record all of them. And you don’t want that. It’s just going to create more web subscale teams. It’s gonna decrease the productivity of your working base. So it’s. Yeah. Oh, short by every single statistic in this report. I mean, the approach. I’ve always believed that the approach to efficient simulations should be a passive approach is the you don’t reform the users that they have failed, you just passively assign them a training activity. Now, whether you do that, you know, a lot of people I think that was demonstrated in here that they’ll remove privileged access rights on accounts. Now, that’s another one area. It can be viewed as a good thing and above things dependent on the person you’re making does. Jack says things from? And again, something, I think that really, really crazily, 17% of those surveyed locked computers until the training was complete. Now, that is ridiculous. I don’t understand why you would do that. Can we use it for working? Because they’ve failed efficient simulation and it’s almost reverse mentality.
DAVID TAYLOR [00:28:30] Talking about productivity, like reducing productivity, like every single one of those stats. Like, you know, decreasing their access privileges, locking the computers down, naming and shaming. Like all areas and telling the line manager all of those. That’s gonna stop people working as quickly. They would scan and click on links, gonna double check everything. If you lose access privileges, they probably got to go through two to three people to get whatever documents or whatever software they need. And it’s just gonna get more people in. It will take way longer to do anything. And I don’t see any benefits because I in this study. We know personally like we obviously you know efficient simulation in Celerity. All of us have cyber security training for all employees. And I think if we named and shamed people by finding out about them. I’d be so embarrassed. Especially, you know, with my job, like working the market and we have to know quite a bit about cyber security and for me to then click on official links because we talk about it and it’s, you know, week after week. That would be extremely embarrassing for the whole company to know that perhaps on a regular basis. Yeah, I probably wouldn’t like working at Celerity after that.
JOSHUA READ [00:29:43] So that’s what the the problem is here. You know, the if your name and in chairman, you’re discouraging users from doing the right thing and you’re also discouraging users from working the every single approach that was that was you know, people said that they did. All you’re doing is instilling fear in your user base. And that’s the one thing that affects productivity. People fear what they don’t understand as well. And that’s another thing that’s been a massive problem in cyber security. People don’t understand cyber security because they see, again, media bloor cyber security out. can’t be out and throw glitter on it and say, oh, is this really complicated thing, you know? It’s really scary. It’s really scary. But in actual fact, it’s not if you are in concepts, logical approach to things. It’s fairly simple. And people just need to understand that cyber security isn’t a productivity and a fun sponge machine absorbing machine. It’s just, you know, it’s just another division of a company that is sole aim is to protect the day and users of the organisation, not the way they do things. Yeah. It’s questionable as being with every single stage and. So, yeah, I think the cyber security teams around the world viewed as the police. And no one likes the police so. Well, I could say that our celebrity cyber security team is very fun. They’re not fun sponges. All right, guys, that’s all we have time for this week, unfortunately. I have some good stories that will be interesting to see what happens with those three that were charged on the Twitter hacks and hopefully we’ll be hearing more information about people, less naming and shaming and being more, as you know, for thinking and positive reinforcement rather than that cracking the whip on their employees. Thanks for watching. Secure with Celerity and catch us next week, for some more top cyber security stories. Catch you then.