With Paul Ducklin and Chester Wisniewski.
PAUL DUCKLIN (DUCK). [MUSICAL MODEM] Hello, everybody.
Welcome back to the Naked Security Podcast.
As you can hear, I am not Doug. I’m the other one, Duck.
Doug is away this week, so I am joined by my trusty friend and colleague from Vancouver, Chester Wisniewski.
CHESTER WISNIEWSKI (CHET). Hey, Duck.
It’s good to be back on the podcast – ringing in the summer on the Naked Security Podcast.
DUCK. Yes, Happy Solstice!
You’ve been on the road, haven’t you, lately?
For the first time in quite a while?
CHET. I did “faux-RSA” a couple of weeks back in San Francisco, where you go to San Francisco and you meet with people at RSA, but you don’t actually go into the room where RSA is, because people don’t know how to wear masks.
Which turned out good for me, because RSA was a bit of a super-spreader event.
But I didn’t have a good enough sense to stay home, so I’m podcasting this week with you from lovely Anaheim, California, very near the D in the DMCA, the Disney Millennium Copyright Act, across the street from Disneyland.
DUCK. And the home, I’m delighted to say, of the Anaheim Ducks, no less?
CHET. Yes, though they are less mighty than they once were.
DUCK. Ohhhh… I was going to say, “I think I could get behind a team with a name like that, Chester.” [LAUGHS]
So, let’s jump into this week’s cybersecurity stories, Chester.
The first one – I’d love to hear your take on this; we wrote it up this week on Naked Security.
It’s all about phone scammers and the fact that they’re quite hard to deal with, because there are fake call centres all over the world.
But Interpol, every year, has a kind of a multi-country phone scammer “takedown fest” that they call First Light.
This year’s ran for two months, and involved more than 70 countries.
And although that sounds like a lot of work, and it really was, nevertheless, they were able to make something of a dent, busting 2000 suspects and confiscating $50,000,000, if you don’t mind, at 1700 locations around the world.
So, it seems there’s no shortage of money, sadly, for phone scammers.
It still pays the bills for them, sadly.
CHET. Well, that explains why we probably get so many of those phone calls, especially those of us that are silly enough to still have non-mobile telephones.
For some reason, my VoIP number, that at one past time was a landline…
…I think it’s probably getting four or five times as many of these calls coming in as I get on my mobile number.
But it is an impressive result – I think it’s important to remind people that this isn’t one giant cybercrime group that operates in 70 countries.
It’s more of a co-ordinated effort directed toward this problem in general.
So, this is probably hundreds of individual groups making up the 2000-plus arrests.
But it does show what a global problem it is.
Presumably, with 70 countries, they’re not all English-speaking.
There are going to be people scamming in many different languages, with many different sets of victims, not just English-speaking countries.
And along with those 2000 arrests and the $50 million, apparently that involved the freezing of 4000 different bank accounts.
So, as you say, it’s not just one giant group with a few subsidiaries.
It’s sort-of a “giant group of giant groups”.
And from some of the videos I’ve seen online, where people have, rightly or wrongly… when they’ve had a call and gone online with the scammers, they’ve been able to go in backwards like a sort-of a reverse shell, but for CCTV, so they can see what’s going on in the call centre while they’re being scammed.
Some of these are not tiny operations.
They are hundreds of people in what is effectively a call centre set up professionally, as a call centre.
But they’re not making professional calls.
They’re making crooked calls.
And, I mean, this is without going down the cryptocurrency rabbit hole.
Those 4000 bank accounts… good luck if those were bitcoin wallets or Monero or something, right?
I mean, the traditional financial system at least gives us an opportunity to seize those funds and hopefully maybe even redirect that money back toward the victims that were scammed in the first place.
But when we look at so many of these rug-pulls and cryptoscams that are going on, generally the money’s never recovered.
DUCK. Because $50 million has been frozen, just of what hadn’t been moved out of the accounts yet, in this operation…
…that suggests there are a lot of friends and family that we could be reaching out to who are still in desperate need of being told what to listen out for.
Because these guys are very persuasive, aren’t they?
The polish on their scripts, and the amount of people they’ve probably previously victimised, unfortunately seems to have given them professional experience at being con-artists.
OK, I imagine that’s true of many con-artists in any traditional scam out there, but the fact that there are humans involved makes the victims less on their guard.
I think we’ve gotten so used to scammy things in our email that, once we get on the telephone and there’s an empathetic person on the other end of the line who seems to be trying to help us, it makes us extra-susceptible to going along with the scam.
Even though there may be many red flags, or at least amber-coloured ones, all along the path.
DUCK. So, what’s your advice for people to advise their favorite Aunt, their Mum, their cousin, their friends who aren’t as tech savvy?
CHET. It’s tough giving people advice.
I mean, there are two groups out there, right?
You’re asking, “What do you tell the vulnerable group?”
There’s also, of course, a lot of people, like the folks that listen to this podcast, whom I often interact with, where they will say, “Oh, I spent an hour on the phone with them.”
And I guess that’s okay if you’ve got an hour to waste, but you’re probably not actually accomplishing much by tying them up on the telephone for too long.
It seems to be that, due to the savviness of the criminals these days, they have very little tolerance for being played with in a cat-and-mouse game.
They’ll just hang up on you, and get angry, and move on to the next victim.
So I’m not sure that spending all that time on the phone terribly useful.
As for our family members, I think we have to go back to the same type of advice we’ve been trying to give people for years, about the incoming call that pretends to be from the tax authority in your country, or pretends to be from the police.
In this case, of course, it’s outgoing calls… you’re being tricked into calling them in many cases, which I guess lends more credibility to this.
But the reminder to family and friends works in both directions.
You should be suspicious of things that you’re not expecting to occur.
Most of us have tried to call and get customer support from many large companies, or for that matter local government, or police or different bodies.
And it’s usually a lot more difficult than you’d think!
And so, if you call a number and people instantly answer and want to help you, sadly, that is an indicator that something might be wrong.
You should always be verifying that phone number you’re calling.
If it says it’s from your bank, then you get the number *off the back of your bank card*, which is the advice we’ve always given.
CHET. And so it’s that same type of thing, right?
If it’s incoming, then you hang up and call back.
If you’re calling out, you don’t just trust a phone number because it shows up in an email – or a fax, or anything else for that matter.
You should *always* verify using some legitimate method: previous correspondence; a card you carry in your wallet; or perhaps the website that you regularly visit that’s bookmarked in your browser.
Make sure you’re using the correct contact information.
DUCK. And absolutely don’t trust the number that shows up when they call you, just because you think it looks legit.
Because, as you’ve said before, Chester, when you were last on the podcast… you’d received a phone call, and they were obviously trying to pretend to be Amazon.
And they’d gone out of their way to get a Seattle, Washington number, so that you think, “Oh well, Amazon’s in Seattle – look, they’ve got the right dialling code!”
But that will always show up correctly if the cooks want it to, because they can pretty much come up with toll-free numbers for you to call at almost no cost to themselves, *and* they can make their outbound numbers look pretty much like what they want, can’t they?
CHET. Yes, absolutely!
In fact, a lot of the scams like the ones that were busted in this enforcement action… the ones I’ve been receiving have been proclaiming to be from a lot of tech companies that have charged your card, that you need to get a refund, or there’s been some sort of clerical error and you need to reach out to them so they can sort out your account.
And what’s interesting is that none of these companies have I ever been able to reach by telephone, no matter how hard I’ve tried!
DUCK. [LAUGHS] So that’s your telltale, is it?
“If you phone the number and someone answers, it must be a scam!”
CHET. [WRY] Pretty much.
Have you ever tried to call Google?
DUCK. Not personally, Chester.
CHET. I recommend against it, in case you ever feel tempted.
The number of people that reach out to us about things like their Instagram accounts being stolen, and their Facebook accounts being stolen because they weren’t using multifactor authentication and so on…
You listen to these people describe their experiences trying to get support from Facebook or Instagram to resolve their issues, and it will quickly convince you that if you reach a human, it’s probably not real.
DUCK. And, as Interpol went out of its way in its report to remind everyone, don’t be fooled if you’ve been scammed once and then you get a call from a lovely gentleman or lady who is “from law enforcement” who wants to help you because they know you’ve been scammed.
Because, as Interpol noted, one of the backstories that they came across, in amongst the very many, were scammers pretending to be Interpol!
In simple words, if I can finish up now on this topic, Chester:
And our other little jingle that we like to say:
- If in doubt, don’t give it out.
Never feel cajoled, or pressurised, or sweet-talked into handing out information that you think you shouldn’t.
CHET. And remember, as well, that it can be via *any* kind of communication mechanism.
I’ve been seeing these scams come in through text messages; I’ve been seeing them in emails; I’ve been getting them as telephone calls.
They don’t discriminate – it’s not always via electronic means, because all communication methods are susceptible to these types of attacks.
And, as you said, they’re often a combination, aren’t they: you’ll get an email, and the email says, “We’re going to bill your account, but no worries, we’ve got this fantastic toll-free number you can call.”
So, Chester, let us move on to a story that looks like it’s finally coming to an end, three years after we first wrote about it.
And that is the conviction of a cybercriminal by the name of Paige Thompson, whom many people may remember was associated with a massive data download from Capital One, almost three years ago to the month.
And she’s finally been convicted not only of a whole load of offences relating to downloading vast quantities of data, but also of breaking into people’s cloud services to inject cryptomining software, so they pay for generating the cryptocurrency.
What’s the backstory here?
CHET. Well, she at one point in time had worked for Amazon, and initially, I think folks were suspecting that perhaps she had inside information that allowed her to compromise these organisations.
But then, as we learned later, it wasn’t just Capital One.
I think there were close to 75 different organisations where she ultimately was able to get at data, because of misconfigured cloud firewall policies in Amazon’s AWS service.
And so she was able to write a script that scanned all of Amazon’s cloud customers to see who had made this error, and how they defined their firewall rules, which allowed her to then access sensitive information in their Amazon S3 buckets.
The charges were amended about a year later to include additional charges, as you say, for cryptomining at the expense of some of these customers who also had insecure EC2 instances, which is Amazon’s Elastic Compute Environment, where she did put some cryptominers in.
The bizarre thing is she bragged about all these crimes… that she had stolen 100 million records from Capital One, a US based credit card firm, as well as a lot of university research institutions and other corporate entities that had these misconfigurations.
And to me, the installing of the cryptominers was another sign of this call for wanting attention or wanting credit, for “being clever” for doing this.
Because, as we’ve investigated in the past, when criminals install cryptominers, they largely don’t make more than $10 or $15.
It’s so difficult to intensively mine cryptocurrency before you get discovered that you generally don’t ever make any money.
But, of course, in the US legal system, that did multiply the impact of her crimes, because she had a profit motivation.
DUCK. She used that as a way of saying, “Well, as you can see, I just wanted to prove a point,” didn’t she?
In other words, it’s sort-of passing herself off as a security researcher.
But it seems that neither law enforcement, nor the court, nor the jury bought into that theory.
CHET. No, neither did I.
I was interviewed by the New York Times about her pending court decision just before she was convicted, and was asked, “Her defence attorneys were positing that she was a security researcher and that was going to be her defence.” And the Times was curious whether I thoughy that what she had done, under any circumstance, could be construed as legitimate security research.
I just have to ask the listeners, “Would you take one stolen credit card from the credit card company, or a Social Security Number and personal information, to prove that something was insecure?”
You *shouldn’t*, but you *might*.
“Would you take 100 million?”
That is a different level of intent!
To prove that you’re running code on something, the famous thing that we do in the hacker community, when you’re a legitimate security researcher, is what is often referred to as “popping a shell” or popping a calculator”.
That’s generally the demo that you do to show that you have code execution on somebody’s computer when you shouldn’t.
And that literally refers to exploiting a bug and making the calculator show up on the Windows desktop, just to show that I can run stuff that I shouldn’t be able to.
You don’t then run cryptominers to personally profit from that crime!
DUCK. Yes, I think that’s a very important point.
In fact, in the Naked Security article where we covered this, my first tip was not what companies can do to protect themselves against data breaches of this sort, but was more about, “If you want to get started in cybersecurity, read the rules for any engagement and follow them!”
And I guess the other thing that this proves very strongly, Chester, is that if you haven’t got your head around the idea that penetration testing, and scanning your own systems repeatedly and regularly in case things aren’t set up correctly…
…if you haven’t got your head around the fact that that is a good idea, well, this proves that if *you* don’t do it, the crooks surely will!
Because she essentially concocted what you might call an anti-security scanner, right?
Exactly the same sort of tool that you could use to find the holes and go, “Whoa! That’s not right, we need to fix that!”
But of course, once she’d found the hole, then she went diving in through it, which is why she got into a world of trouble.
CHET. Well… if you need help finding these types of problems in your cloud environment, you might call us up.
We might have something called Sophos Cloud Optix that can help with that!
DUCK. It’s funny you should say that, Chester, because somebody – I can’t think who it could have been [LAUGHS] – put a little advert for Sophos Cloud Optix at the bottom of the article on Naked Security.
The only bit of commercialism in the show, folks…
…Cloud Optix is a great service that helps you with what, in the jargon, we call Cloud Security Posture Management.
Basically, it helps you go out and look for things that should not be happening, and just as importantly, to confirm that the security settings you expect to be in place really are.
Because. like we said, if you don’t, somebody else will.
So, to finish up this episode, Chester, I would like to hear you talk about something which I’m sure is near and dear to your heart, because it’s 100% Canadian, and that is a very peculiarly-sized fine of…
…you hink they would have rounded it down, but they didn’t: $200.9 million Canadian, that a financial organisation called Desjardins got fined for another breach.
This one did not have as many records affected as in the Capital One breach, but I guess more significant data was taken in the records that got stolen.
CHET. Yes, I wanted to talk about this story because I think, too often, we feel like nothing happens to these companies when they’re careless with our data.
And even in the case of Capital One, while it was 100 million records, and I believe the fine was about $80 million, there was also, I think, another $100 million and some odd, almost $200 million in cost to Capital One from lawsuits related to that incident.
Indeed, they did not get off scot-free!
DUCK. They did not!
So how did it pan out for Desjardins?
CHET. Well, similar to Capital One, in this case, they had 4.2 million bank customers that were compromised through this attack. or their personal information was compromised.
And then, as you pointed out, the settlement was $200.9 million Canadian.
It does sound odd, but I was doing a little math in the background while you were introducing the topic, and I believe it’s around $50 per victim, which is how they ended up at the bizarre 200-point-9 million.
In this case, the incident at Desjardins was a rogue, malicious insider who had been accessing and using this information for more than 26 months.
And I suspect that may be why the penalty was so large for a much smaller number of victims compared to Capital One – because they had more than two years to discover this was occurring, and they either didn’t have the controls in place or didn’t take any action against said rogue employee.
One positive result from the Canadian point of view is that the Quebec legislature is now looking at updating and strengthening the privacy protections in Quebec as a result of this breach.
So the positive outcomes won’t just be payments to lawyers in the class action suit.
Hopefully a knock-on positive outcome might be stricter regulation that will prevent this from occurring to more victims.
And, as we mentioned in the article on Capital One on Naked Security, breaches can happen to anybody.
Let’s hope they don’t happen to you… but practising what you would do if you discovered a breach is *not* “planning to fail.”
It’s not an admission of guilt; it’s not saying, “Oh, well, we’re just saying we’ll never do the right thing.”
And it’s my considered opinion that actually if you practise what you would do if you had a breach: “Who do we have to talk to? Which regulatory body needs to know? Who’s going to take charge of talking to customers? What kind of language are we going to use?”…
…if you go through that exercise, even if it’s not the technical part of the security response, my gut feeling is you’re actually less likely to have a breach in the first place.
Because you’ve started thinking about the hard questions of what would happen if you did have one.
And nothing focuses the mind like having a dry run!
CHET. And even those of us who have lots of practice and work in this field need to keep that in mind ourselves, right?
I mean, a colleague of ours, a couple of weeks ago was in this situation of, “Oh, don’t worry, I have backups of my firewall. Oh, wait. The backup stopped working in February.”
It’s easy for these things to espcae notice when you’re not practising them.
Even if you had started off on the right path, maybe you’ve taken a slight veer off the path since the last time you reviewed them.
So, it’s not something that’s a one-time exercise either.
It needs to be maintained and practised so that you’re sure that all your protective controls are actually functioning.
I know it’s a cliche, and I know it’s a truism, and we’ve said it very many times before on the Naked Security podcast, but if you don’t mind, Chester, I’m going to say it again…
“Security is a journey. It is not a destination.”
CHET. Absolutely correct!
DUCK. Well, Chester, thank you so much for stepping up to the microphone at short notice while you’re in… it’s in Orange County, isn’t it, Anaheim, no less?
CHET. I am in Orange County, California.
That is correct.
DUCK. So, thank you very much for making time in your hotel room to come on this week’s podcast.
I do appreciate your efforts, and it remains only for me to say to everybody who listened, thank you so much for doing so, and until next time…
BOTH. Stay secure…