Security Bytes - Issue 17

Let me start by saying this one of those stories that you really need to read more about if you’re not already familiar with Zeus, also it’s a little personal having delt with Zeus in one way or another since, well, I guess 2007-ish, if memory serves. In short, Zeus can be defined as a hacker tool, although that doesn’t do it justice. That would be like calling Metasploit a scanner.  Zeus was (is) a highly effective malware written by Evgeniy Mikhailovich Bogachev, who has a $3m bounty on his head by the FBI from 2015, that was originally used for, as the FBI would say, bank fraud and money laundering. In short it would siphon your bank account and you would never know. This is how hackers worked pre-crypto, you had to steal the money and Tank was good at it.  Vyacheslav Penchukov, aka Tank, is the leader of the Zeus cybercriminal group JabberZeus. This week Brian Krebs broke the story that Tank was arrested in Switzerland with the US seeking extradition. The history of Zeus is an interesting one and Tank built a very successful crime network based on the tool. Hearing that book is closed is good, but Zeus is still out there.

Krebs article - https://krebsonsecurity.com/2022/11/top-zeus-botnet-suspect-tank-arrested-in-geneva/

Is your EV too smart?

In the early 2000’s, as Zigbee was becoming more interesting, I started getting quite involved in the security of the electrical grid and especially with SmartGrid. I got into my share of heated discussions concerning the security concerns and regularly demonstrated concerns were real. Fast forward to the 2015-2018 era where cars were starting to get hacked. Interestingly, most cars have as much as a 100 million lines of code, which is a ton when one considered Windows 11 has roughly 50 million. Jump to today, where we have EV’s connecting to the grid through charging stations and the internet – which frankly was a big component of the SmartGrid strategy! But, has security in EV’s and the grid evolved? Are they ready to interact and integrate? Complex systems are difficult to secure, but even more so when these systems interact. Add to this the subscription model being adopted by automakers, for example Audi, BMW, Cadillac, Porsche, and Tesla are all rolling out options from driver assistance to seat heaters, we have the potential for a completely new form of cyber-attacks. How about having to pay a ransom on your smartphone to start your car? What if hackers auto-park your car in an unsafe location, and will release for a few bitcoin? Also, baddies aren’t stupid, they’re going to impact you while on a road trip with your family in the middle of nowhere. This week Sandia National Labs posted an article/newsletter concerning a study performed outlining the vulnerabilities and considerations of EV interactions with the grid. Billions are being invested in the creation of a charging infrastructure and is being rolled out rapidly, and now people are starting to look at the potential cyber implications.

Sandia article - https://newsreleases.sandia.gov/ev_security/

Smart Grid - https://www.energy.gov/science-innovation/electric-power/smart-grid

Car subscriptions - https://www.consumerreports.org/automotive-industry/why-you-might-need-to-subscribe-to-get-certain-features-on-your-next-car-a6575794430/

Danger, Danger Will Robinson

While at the Aspen Cyber Summit, Mieke Eoyang, the deputy assistant secretary of defense for cyber policy made a number of interesting comments, one highlighting Russia has “underperformed” from a cyber perspective and further noted, “Things that Russians tried to disrupt via cyber did not have the strategic impact that they wanted and they sought to destroy those things physically.” This does change the strategic calculous of war in modern times and the massive increase of collateral damage, which is technically not collateral in cyberwar. My one issue here is that Russia has been getting a lot of attention for cyber activities, but also noted as not being all that effective. In one hand, when look back at things such as NotPetya, the power of that cyberweapon rested on the shoulders of sophisticated tools developed by the NSA. This may lead many to have a lesser view of the Russian’s capacity for cyberwar, but I would warn you not to become complacent.  

Article - https://therecord.media/russias-cyber-personnel-have-underperformed-in-ukraine-u-s-defense-official/

Will Robinson reference - https://en.wikipedia.org/wiki/Lost_in_Space

It's all about Ransom

As I’ve shared here on Security Bytes, there have been a number of articles and reports from and about the UK’s government’s handling of cyber threats, most notably ransomware. A recent article notes that crisis management meetings, usually reserved for terror attacks, have been primarily convened for ransomware attacks, speaking not only to the level of impact these attacks are having on the country, but also the level of threat they represent. If you don’t have time to read the article… below are a few sentences that capture the tone. While you read think about the push for reporting incidents (beyond GDPR) and the evolution of laws regarding not permitting ransom payments, most notably and recently in the US and Australia. These are concerning times where company needs to operate are potentially conflict with regulatory oversight in ways we haven’t seen before at scale.

In response to a list of questions regarding all of the statements in this report, a government spokesperson told The Record: “Defending the U.K. from ransomware attacks is a core priority for this government. Given the complex nature of the threat, we are working collaboratively across departments, with law enforcement and agencies, and our international partners to strengthen our cyber capabilities and build the U.K’s resilience.” 

They added that there are ongoing reviews of the government’s policy and operational approach to tackling ransomware, including through consistent collaboration with industry and international partners. 

Officials dealing directly with the ransomware issue told The Record they saw no light at the end of the tunnel, even of the prospect of any improvements which could help the U.K. clamp down on the problem. 

They said they were seeing “an increasingly successful business model” with “ransom demands increasing” and “payments increasing” and it becoming “harder to avoid paying a ransom because the entire ecosystem is pushing that way.”

Must read Article - https://therecord.media/ransomware-incidents-now-make-up-majority-of-british-governments-crisis-management-cobra-meetings/

NCSC’s report - https://www.ncsc.gov.uk/collection/annual-review-2022

Lindy Cameron, CEO of NCSC (part of GCHQ) vid - https://youtu.be/FqWt42kSTrw

National Cyber Survey - https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022

State-of-the-Art

This one is a bit of a mixed message, so hang on! This week saw a lot of news around ransomware coming from various conferences, a number of publications and announcements all circling the topic. One of the themes surrounds the government’s ability to use sophisticated technology to recover cryptocurrencies used in the payment of ransomware. Ok, first point, this tech isn’t necessarily new. There are a number of organizations and groups that perform blockchain analysis, but one can rightly assume the government is really, really good at it. But why tout this advantage you’ve been using to hunt down more serious crimes, such as terrorism and human trafficking? Because POTUS said so. Now, agencies are all-in, which is good for the rest of us, but a little part of me hopes we still have other unpublicized capabilities for the other challenges. The other side of that coin is knowing the bigger the number the bigger the attention. For example, just last week the DOJ announced they’ve seized $3.3 Billion in bitcoin from James Zhong living in Gainesville, Georgia that he stole in 2012 when working on Silk Road, which was shutdown by the FBI in late 2013. That $3.3 B is a huge number, right? Well, when Zhong stole that 50,000 bitcoin (51,351.89785803 to be exact, and 50,491.06251844 was recovered, which as you know, in 2017 bitcoin split, making for 50k BTC and 50k BCH) was worth $13.50 at the end of 2012, making for a whopping $675,000. Of course, one has to ask.. what the heck was Zhong thinking hanging on to that much crypto for so long? There’s a story there for sure.

Where am I going with all this? How does the economy survive something’s value going from $650k to $3.3B in a decade, especially when one considered that Silk Road processed more than 9 million in crypto? Will people start to rely on the government to recover their lost crypto payments and where does insurance companies fall into this narrative? Did we inadvertently expose capabilities that will help the really nasty criminals and terrorists to manage money more effectively?

DOJ inditement - https://www.justice.gov/usao-sdny/press-release/file/1549811/download

FBI Silk Road - https://www.fbi.gov/contact-us/field-offices/newyork/news/press-releases/ross-ulbricht-the-creator-and-owner-of-the-silk-road-website-found-guilty-in-manhattan-federal-court-on-all-counts

Clock is TikTok'ing down on Your Privacy

I’ve lost count of the number of reports, articles, and warnings over the last few years about TikTok accessing your data. It’s an interesting social reality when one considers how individuals balance exposure to the use a given app. For example, if you were told that a foreign nation was collecting your data and you could make it stop by uninstalling an app, would you?  How do you know what may be collected and who has access? And that’s the point. Early in November TikTok’s privacy policy update got a lot of attention because it spells out to European users that, yes, your data can be accessed by employees outside the continent, including China to ensure the user’s experience is “consistent, enjoyable and safe”.

TikTok’s head of privacy in Europe, Elaine Fox, said: “Based on a demonstrated need to do their job, subject to a series of robust security controls and approval protocols, and by way of methods that are recognised under the GDPR [the EU’s general data protection regulation], we allow certain employees within our corporate group located in Brazil, Canada, China, Israel, Japan, Malaysia, Philippines, Singapore, South Korea, and the United States, remote access to TikTok European user data.”

Interestingly, the current US president scrapped the policies of his predecessor pressing the sale of TikTok’s US business. At the heart of the issue is that it’s virtually impossible to validate the security controls and practices within China concerning data.

Article - https://www.theguardian.com/technology/2022/nov/02/tiktok-tells-european-users-its-staff-in-china-get-access-to-their-data