Security Bytes - Issue 8
Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.
This week we’re looking at a few things that speak to a small hack that could be the canary in the cyber mine, as well as looking at how cyber, fraud, con jobs, and digital reach are merging challenging the human brain.
But for those that don’t really like my long writings, we’ll start with some quick hits (pun intended… )
--------------------
Janet Jackson Will Crash Your Computer
This is so completely crazy and awesome at the same time (I’m still not quite convinced this isn’t an elaborate hoax). Thanks to our own security pro Tom Becket for sharing with me. A major computer manufacturer discovered that playing Janet Jackson’s “Rhythm Nation” in proximity of laptops with a certain hard drive installed will – wait for it – cause the computer to crash! Apparently, there is a vulnerability in the hard drive that is susceptible to a resonance frequency that is in the song. There is actually a documented CVE (CVE-2022-38392) and I’ve shared additional links below that give this some credibility. (Is it weird that I’m walking round my house with “Rhythm Nation” playing loudly?)
Sounds nuts, but keep in mind in the pre-computer days of hacking, we hacked into phone systems that were vulnerable to certain frequencies, the most popular being 2600Hz, which was surprisingly produced by a toy whistle that came in the Capt’n Crunch cereal.
Links:
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38392
Article: https://devblogs.microsoft.com/oldnewthing/20220816-00/?p=106994
Video by article author (it’s 2 min and worth the watch!): https://twitter.com/WindowsDocs/status/1558114944738103297
Five Years a Spy
This week Microsoft’s Threat Intelligence Center (MSTIC) published a report on a Russian cyberespionage group operating since 2017 attacking over 30 government organizations and defense contractors. The group is called Seaborguim as well as Callisto, Coldriver, and TA446 by other researchers. Google reported similar concerns earlier in the year and one report tying the cyberspies to the Brexit Leak site. The take-away here is five years is a very long time to be watching your adversary. Lastly, note that in all these articles it’s not said that they’ve been stopped, just disrupted their phishing operations.
Links:
Microsoft report: https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations/
Google report: https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/
John Deere Doom’ed
A bit of a silly story, but an Australian hacker essentially “jailbroke” a John Deere’s tractor computer display to play the old-school first-person shooter Doom. This isn’t the first time JD has been in the news concerning their technical capabilities, both good and bad. I find this type of stuff interesting because we speak of self-driving cars, IoT, industrial control systems, automation, always-on-line systems in vehicles (see articles linked below), and the like, and we’re quite excited for the great things these technologies offer us. But our exuberance has clouded the darker side of possibilities.
Links:
Article: https://www.theregister.com/2022/08/16/john_deere_doom/
Right to repair: https://www.theregister.com/2022/03/07/deere_repair_ftc/
Russian steal bricked tractors from Ukraine: https://www.cnn.com/2022/05/01/europe/russia-farm-vehicles-ukraine-disabled-melitopol-intl/index.html
GM Forces you to buy On Star: https://www.theregister.com/2022/08/11/gm_makes_onstar_addon_mandatory/
Subscription services for cars: https://www.consumerreports.org/automotive-industry/why-you-might-need-to-subscribe-to-get-certain-features-on-your-next-car-a6575794430/
Hardware Hacks
This week researchers demonstrate vulnerabilities that will surely be seen in the wild that allow hackers to by-pass a computer’s Unified Extensible Firmware Interface (UEFI) implementations and bootloaders. In simple terms, a hacker can infiltrate your system at its very foundation and remain completely undetected with unlimited control and access to all information and communications. No biggie.
Links:
MFA and RPA
MFA and RPA
There’s actually a lot that can be unpacked with this story, but let’s just touch the treetops. This week a trading company focused on providing a market for Steam related items, specifically Counter Strike: Global Offensive (CS.GO) skins, was hacked losing an estimated $6M in licensed digital content. The company, CS.MONEY, is known for having the largest market for weapon skins and total assets worth, before the hack, $16.5M.
How did they get hacked? Well, the details are still emerging, but it comes down to a hacked MFA solution and the hackers using a 100 internal system trading bots within the company – a.k.a. RPA – to issue thousands of fraudulent trades; two interesting points. For those not steeped in video games, Steam is essentially a storefront system for digital content management and started as a game update system for games produced by the company Valve in 2003. Actually, Valve was started by former Microsoft employees and started with a hugely successful game called Half-Life.
Valve created the Steam mobile app for users to manage their various purchased content across the vast community of games, creators, and consumers. Recently added to the app was “Steam Guard Mobile Authenticator” effectively providing multi-factor authentication. Sounds great, right? This is where we start to have a problem and that is not all security is the same and it’s not just a “bolt-on”. In this case, the hackers manipulated the MFA process using information stored within the app gaining access into the system. Once in they took over existing bots within the environment and started trading content to their profiles, and even started sending other people content for free in an attempt to throw off detection.
Why am I even talking about this? First, this is something we have to keep an eye on very closely. Valve created an MFA solution in their app. MFA is probably the #1 get-it-done item on every cybersecurity program’s list, therefore hackers will absolutely be targeting these solutions. But, it speaks to, well, why did they create their own when other solutions can be tied in? It may take time for all this to flush out, but while MFA dramatically improves the authentication process, expect hackers to find new ways to break it. Finally, the internal bots (RPA-like) systems that were used essentially as a force multiplier for the hackers. People need to think of bots/programs, etc. as an employee, with access and rights to perform certain functions, and they can be manipulated to do the bidding of others. Except in this case you don’t have morals, ethics, and real world implications to drive out such behaviors with non-human employees.
Links:
Company comments: https://www.twitlonger.com/show/n_1ss3ubv
21st Century scamming
There are thousands of examples of where hackers and cyber bullies use the internet to cause havoc in the real world. In one example, a family was harassed with massive waves of pizza deliveries in the middle of the night for months. Another had tens of thousands of shipping boxes delivered to their house to prove a point. And there are numerous cases of SWAT’ing where police are called to a falsified murder/hostage situation and doors are kicked in. In fact, there are several cases people being shot and killed because of SWAT’ing… all because some hacker wanted your really cool Twitter handle.
When we think of hackers, we tend to forget about the scammer side of that world. We think of hacking as attacking computers, but what of the use of technology in attacking people? A recent article highlighted an attack on an elderly woman who was scammed via email posing as an appliance retailer, coinciding with her recent dishwasher purchase. They convinced her that the $160 paid refund was processed at $160,000, an error on their part, and she needed to wire back the $159,840. Here’s the kicker… when she told them she can’t drive, they sent an Uber to pick her up and take her to the bank. And this isn’t new. There is an ongoing investigation where $700k was stollen by sending Uber to pick up cash from elderly victims. According to the FBI there were 92,000 victims of fraud in 2021 losing a reported $1.7 Billion, a 74% increase over 2020.
And don’t be fooled into thinking fraud is only for the pre-internet generation. I regularly consult/help individuals that have been scammed or attacked digitally in some way and can tell you just recently I’m aware of about $10,000 in losses from people in their 20’s and 30’s. It’s important to recognize we’re only seeing a very small portion of this activity because it’s highly embarrassing and law enforcement is not always effective, so they go unreported. Also, many of these scams are relatively small, between $200 and $3000.
What is really happening here? Is everyone gullible and over trusting? No. I think that’s the easy excuse and it creates a false sense of confidence, “It’ll never happen to me, I’m smarter than that,” mindset. It’s also the common answer because the real answer is too scarry. The simple fact of the matter is our brains are not prepared for the onslaught of manipulation that is possible. Technology has advanced to a point where it’s difficult to decern one reality from another. In history this was the basis for Magic and that was manipulated by criminals to fool people. Today is no different.
Having helped many people in a number of different situations, I can share a few common threads, all of which will sound familiar: 1) if it’s too good to be true, it is; 2) don’t use money transfer services that pay to email addresses/phone numbers unless you have several other forms (3+) of verification; 3) avoid using debit cards, but if you must note that international standard ISO-9564 sets the maximum length possible for PIN to 12 digits; 4) don’t trust anything your receive in email, even if has to do with a recent purchase or the like; 5) never click a link from an email or text, and if you can’t help yourself, run it through VirusTotal.com first. That should get you started.
Scams are highly successful because they prey on human instincts and how we perceive the world around us. The best way to think about is just like a magic trick. The magician fools you not because you’re gullible, overly trusting, or stupid… they’re successful because they know how your brain works. Bad people are performing magic tricks, but are empowered by a global technical infrastructure that offers them instant access to you and your brain. I’m not suggesting hide in a corner, but when you walk down the digital sidewalk a see a street magician, keep walking no matter how much entertainment they’re offering you.
Links:
Swatted death over Twitter handle: https://www.nbcnews.com/news/us-news/tennessee-man-targeted-his-twitter-handle-dies-after-swatting-call-n1274747
Kreb’s article: https://krebsonsecurity.com/2022/08/scammers-sent-uber-to-take-elderly-lady-to-the-bank/
$700k Uber Story: https://www.tampabay.com/news/crime/2021/12/10/hillsborough-detectives-seek-ubers-help-in-solving-a-big-bucks-elderly-scam-again/
ISO-9564: https://en.wikipedia.org/wiki/ISO_9564
VirusTotal: https://www.virustotal.com/gui/home/url
About vCISO
The vCISO (Virtual Chief Information Security Officer) practice is comprised of a global community of highly experienced security professionals that we can connect with customers looking to address challenging cybersecurity pressures in a cost effective and resource efficient delivery model. This provides organizations flexible and focused access to cybersecurity expertise in a time when finding, attracting, and affording skills at this level is virtually impossible or impractical.
