Skip to content

Security Bytes - Issue 21

Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.

Hi everyone, 

This week we explore thoughts around the FBI’s “hacking the hackers” news, and it’s clear deepfake is here to stay, so what’s next? Dark web drug store markets in the real world, while code breakers crack a Queen’s letters. And my take on security myths; not surprisingly a different perspective.


Hack Back

I'm sure you saw on the news the FBI saying they've "hacked the hackers" referring to the taking down the systems of a notorious ransomware gang called Hive, essentially nullifying a reported $130m in ransom, but no one was arrested (yet, I presume). I have mixed thoughts on this. Attribution is the big elephant in the room. With grade school knowledge you can build quite a sophisticated network of systems that are owned and operated by others to perpetrate your crime, so who are you really hacking? Also, what message is this sending to others concerning interpretations of "active defense"? Of course, the FBI is protected from laws that are intended to define crime for others, much like permission to carry firearms where firearms are illegal for citizens –within the context of policing. But how will this translate into cyberspace? I've raised the question of a cyberspace police force before… and at what point does the criminal element in cyberspace warrant such an organization?

 

Article - https://www.theverge.com/2023/1/27/23574257/fbi-us-justice-department-seizes-hive-ransomware-network-servers

DOJ press release - https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant

 

Deepfake it Till You Make it

A recent report by Graphika highlighted that a pro-Chinese influence operation is promoting the interests of the Chinese Communist Party through the use of AI-generated news anchors. A new media outlet called "Wolf News" first to have been believed to be using paid actors is actually AI, confirmed by British company Synthesia. This is not necessarily new… the concept of fake news, AI, deepfake, it's been around for a while now. However, it is definitely picking up pace and you can expect these technologies – including ChatGPT, VALL-E, quantum computing, SIM swapping, crypto, cookie stealing, etc. – to start synthesizing. Do you think not patching ESXi for a year is your biggest problem? You're in for a big surprise.

 

Report - https://public-assets.graphika.com/reports/graphika-report-deepfake-it-till-you-make-it.pdf

Deepfake news - https://www.vice.com/en/article/v7vw3a/ai-generated-video-burkino-faso-coup

Article - https://therecord.media/deepfake-news-anchors-spread-chinese-propaganda-on-social-media/

Covert influanc operations - https://about.fb.com/news/2022/12/metas-2022-coordinated-inauthentic-behavior-enforcements/

Article from last year - https://www.bbc.com/news/technology-60780142

FBI ESXi Recovery Guidance - https://www.ic3.gov/Media/News/2023/230208.pdf

 

From Russia with Love

I can't help but conjure images from the movie Blade Runner (1982) when I read this article. Considered one of the largest darknet drug market operators, BlackSprut is apparently advertising on giant digital billboards throughout Moscow. Empowered by millions earned through crypto and primarily through Bitzlato, who is currently trying to be dismantled by law enforcement, BlackSprut is advertising, "Come to me if you're looking for the best." It's unclear if the sign owner was hacked or isn't aware of who their customer is, but nevertheless, pretty brazen.

 

Article - https://therecord.media/blacksprut-darknet-drug-market-billboards-moscow/

Bitzlato arrests - https://www.europol.europa.eu/media-press/newsroom/news/bitzlato-senior-management-arrested

Updated arrests - https://news.bitcoin.com/bitzlato-co-founder-anton-shkurenko-arrested-in-russia-report/

 

Queen of Encryption

A group of codebreakers came across a cache of letters written by Mary Stuart, Queen of Scots (1542–1587) between the years of 1578 to 1584 while imprisoned by her cousin Queen Elizabeth I that was fully encrypted resulting in a collection of symbols. Using a combination of very clever approaches, they deciphered 57 handwritten letters. There are two points I'd like to make. First, it's amazing she was able to do this without the assistance of a key or code book, but apparently by memory. Clearly, very intelligent and highly capable. Second, it goes to show you that virtually all encryption can be decrypted at some point. But, what really matters is will the information exposed still be useful to the attacker. Well, I think governments around the world think yes because they're gobbling up encrypted data like it was a Wonka bar because with quantum computing there's a chance for a golden ticket.

Paper - https://www.tandfonline.com/doi/full/10.1080/01611194.2022.2160677

Article - https://www.theregister.com/2023/02/09/codebreakers_mary_queen_of_scots/

 

Security Mythbuster

Not sure why, but there has been an explosion of articles, videos, and posts about cybersecurity myths. Honestly, google it… you'll get a ton of hits. Maybe it's the phase the industry is in now, I dunno. Anyway, many are a bit silly, but should get you thinking, like "strong passwords are safe".  Well, what do you consider a strong password and if you click on a malicious link the strength of your password is irrelevant. Nevertheless, I find most of these "myths" to be potentially damaging. For example, a commonly found myth among these collections is "it's a matter of 'when', not 'if' you'll be attacked" is a myth.

 

Ok… hold on for a moment. I made my career in security starting about 30 years ago… I started hacking stuff for pay and never looked back. I can say confidently there was a time that the probability of getting hacked was exceedingly low… it was an "if" condition. It all depended on 'IF' what you had could be of value or more importantly, if could it be monetized. It was also, based on the level of effort required to hack you. Fast forward from the dark ages to today and we have crypto that makes everything monetizable and at the heart is ransomware. There is so much drive-by ransomware that most victims are having to wait extended periods of time to pay a ransom because the bad guys are overloaded, so the probability of getting attacked is akin to getting wet in the rain.

 

On a more serious note, surprisingly most learned the hard way about supply chain risk from the SolarWinds debacle. Given the complexity of systems, hackers find it far easier to attack an "edge" environment that practices very little security but is a provider to a complex system owned and operated by a company that has made huge investments in security. So, the odds of getting hacked are increased because you represent a potential value as part of a larger objective. Getting hacked/attacked is definitely a matter of when… you ran out of "if's" decades ago.

 

Supply chain article - https://www.theregister.com/2023/02/05/supply_chain_security_efforts/

OSC&R, a MITRE ATT&CK-like framework for supply chain - https://pbom.dev/