(Watch directly on YouTube if the video won’t play here.)
For a regular reminder of the articles we write on the day we write them, why not sign up for our newsletter to make sure you don’t miss anything?
You can easily unsubscribe if you decide you no longer want it.
If you’re interested in artificial intelligence (AI) and how it can be used in cybersecurity…
…here’s a DEF CON presentation you’ll like, coming up this weekend!
DEF CON is perhaps the ultimate “come one/come all” hackers’ convention, now in its 28th year, and it famously takes place in Las Vegas each year in a fascinating juxtaposition with Black Hat USA, a corporate cybersecurity event.
Black Hat, where tickets cost thousands of dollars, runs during the week, and then DEF CON, where tickets are just a few hundred dollars, takes over for the weekend that follows, resulting in what can only be described as a Very Massive Week for those who attend both.
At least, that’s how it was last year, and for many years before that.
This year is different, of course – holding a physical conference and running all the many DEF CON Villages would have been impracticable due to coronavirus social distancing regulations, if it would even have been possible at all. (Though you would surely have seen the funkiest facemasks ever!)
The DEF CON Villages are breakout zones at the event where where likeminded researchers gather to attend talks and discussions in research fields all the way from Aerospace, Application Security and AI to Social Engineering, Voting Machines and Wireless.
But DEF CON doesn’t give up easily and, like many other events in 2020, has gone virtual, wittily dubbing this year’s event DEF CON 28 SAFE MODE.
Safe Mode is the special, stripped-down mode you use when you boot up your operating system or your mobile phone with a minimal set of drivers and apps – ironically, a mode that is sometimes used by ransomware crooks so they get access to scramble all your files without the pesky problem of your security and system management software getting in the way.
So, for all that the cancellation of the physical DEF CON event is bad news for those who build it into an annual cybersecurity pilgrimage to Las Vegas…
…the flip side is that you can “attend” this year without travelling at all, and free of charge, too!
So, as we said at the start, if you’re interested in artificial intelligence and machine learning, why not tune in for an AI Village talk that two Sophos researchers are giving on Sunday 2020-08-09 at 09:00 PDT, entitled:
Detecting hand-crafted social engineering emails
with a bleeding-edge neural language model
Why is this interesting? More to the point, why is it important?
Well, one reason is that there is a whole category of cybercrime known as BEC, short for Business Email Compromise, where crooks find a way to pass themselves off as someone important in your organisation such as the CEO or CFO, and send out emails giving false instructions.
Typically, those emails don’t try to trick anyone into clicking links or opening booby-trapped attachments – they often just issue bogus corporate orders such as, “Please use a different bank account number from now on”, or, “Urgent! Please remit this money now but don’t talk about it to any colleagues because it’s an acquisition and we are under a strict non-disclosure rule until later this week”.
In other words, most of the telltale signs that are so useful in trapping conventional spams and scams are missing – in particular, BEC emails rarely include clickable web links or attached files that stand out as suspicious and can be analysed for signs of danger.
Worse still, if the crooks have compromised the email account completely, they have access to the legitimate owner’s own outbox, typically going back months or even years, so they can study the language, company jargon and style that the person would usually use in their own correspondence.
Indeed, the crooks can copy and paste boilerplate text such as greetings, common turns of phrase and sign-off lines so that their fraudulent emails have just the sort of opening and closing remarks you’d expect. (For example, if your CEO would always write, “Dear Paul” and wouldn’t dream of an informal “Hi there, Duck” – or vice versa – then the crooks will know.)
But copying someone’s overall writing style exactly is hard, especially when you are writing things that are the opposite of what the real sender would actually say.
So our researchers, Younghoo Lee and Joshua Saxe, set out to see if they could catch the crooks out by using natural language models to spot this sort of fraud.
After all, machine learning models are immune to blandishments, threats, flattery and other tricks that social engineers use when communicating with humans, so they can’t be manipulated into overlooking or excusing the unavoidable imprecision and incorrectness that is necessary to commit fraud.
Watch live at 09:00 PDT on Sunday 2020-08-09 (that’s noon on the East Coast, 5pm in the UK, 18:00 in Central Europe and 2020-08-09T16:00:00Z in untimezoned RFC 3339 notation), or you can view the video later if that’s better for you.
The live stream is here: https://www.twitch.tv/aivillage
We’ll add in the “watch later” YouTube link here once it’s up.
Please join us if you can!
Here’s a recent Naked Security Live video in which we discuss the human defences you can muster again Business Email Compromise crooks:
One of the alleged Twitter hackers faced a bail hearing in a Florida court yesterday.
ICYMI, the Twitter hack we’re referring to involved the takeover of 45 prominent Twitter accounts, including those of Joe Biden, Elon Musk, Apple Computer, Barack Obama, Kim Kardashian and a laundry list of others with huge numbers of followers.
The hacked accounts were then used to send out bogus Bitcoin investment messages along the lines of “pay in X bitcoins, get 2X back!”, although as an investigator in the criminal case wryly pointed out in his affidavit, “No bitcoin was ever returned, much less doubled.”
Amongst other things, the alleged crooks are said to have ended up with more than $100,000 of bitcoins sent in by trusting Twitter users who’d been duped by the upbeat messages that apparently came from celebrities.
As you can imagine, given current coronavirus concerns, even though the hearing took place before the court, not all the participants were actually in the courtroom.
Instead, the courtroom was hooked up to a Zoom meeting that was, it seems, not adequately secured against – how shall we put this? – external interference…
…with sadly predictable results.
Zoombombers, as they’ve become known, are miscreants who join in Zoom calls not to partcipate but to disrupt, something that’s all too easy if the call is set up with the same sort of implicit behavioural trust that everyone expects in face-to-face meetings.
The word zoombombing infamously entered our vocabularies back in March this year when Verge journalist Casey Newton hosted a time-to-share-the-love-during-coronavirus-lockdown meeting entitled “WFH Happy Hour”.
Newton even invited his parents along as guests of honour, something he soon had cause to regret.
With few or no security options turned on for the meeting, it turned into an eye-watering experience as one or more killjoys hijacked the Zoom session by sharing their own screens and bombarbing the other participants with heavy-duty pornography.
When kicked out, the Zoombombers apparently just rejoined the meeting repeatedly until the hapless hosts had no choice but to shut it down entirely.
Well, it happened again during the court hearing in Florida, when numerous online interruptions blasted the courtroom with music, profanities, rants against the judiciary and, apparently but not surprisingly, porn.
Once again, the interruptions were troublesome enough that the hearing was ended after 25 minutes, with the judge heard to say that future hearings will be “password protected”.
Apparently the hearing did reach some conclusions: the accused Twitter hacker, who is only 17 years old, had his request to reduce his bail amount refused.
Prosecutors, however, didn’t convince the judge to require the accused to account for the source of any money he puts up to secure his release from custody.
He’ll have to pay $725,000 if he wants to make bail, but if he does come up with the money, he won’t have to prove that it was legally acquired.
Reports suggest that the accused was linked to a large-scale Bitcoin theft earlier this year, but wasn’t prosecuted after handing over BTC 100 (around $1,000,000) to investigators.
A New York Times story published over the weekend suggests that those 100 bictoins were part of a larger haul of BTC 164 taken from a Seattle technology investor from Seattle, who was the victim of a SIM swap, apparently leaving BTC 64 unaccounted for – just over $700,000 at today’s Bitcoin prices.
Zoom calls are a great way to hold your usual business meetings while working from home, as well as to conduct webinars and give presentations while conventional conferences and seminars are banned in most countries.
But openness in a meeting room inside your company HQ, where there are probably security guards to keep the peace if needed, or public court hearings controlled in a similar way, are very different beasts from online meetings.
We’ve already published a handy guide entitled 5 things you can do today to make Zooming safer, and we urge you to read it if you haven’t already.
A few simple precautions will make it easier to stop disruptors crashing your meetings in the the first place, and quicker to boot out anyone who does get into the meeting but breaks your rules of conduct.
Law enforcement in Belarus has announced the arrest of a 31-year-old man who is alleged to have extorted more than 1000 victims with the infamous GandCrab ransomware in 2017 and 2018.
He apparently demanded payments ranging from $400 to $1500 in Bitcoin.
Unlike more targeted attacks where crooks break into networks first and directly infect them with ransomware later, the unnamed suspect is said to have gone after victims by the more traditional route of spamming out booby-trapped emails across the globe.
The Belarus Ministry of Interal Affairs claims that computers that the suspect managed to infect were in more than 100 different countries, notably India, US, Ukraine, UK, Germany, France, Italy and Russia.
The authorities have painted a picture of the suspect as what you might call a “career” cybercriminal – allegedly he did not have a regular job but instead:
GandCrab was what is commonly referred to as RaaS, short for Ransomware as a Service.
The term RaaS is a cynical reference to legitimate abbreviations such as Saas (software as a service), which refers to software that you access via the cloud rather than installing and managing yourself.
In other words, the suspect arrested in Belarus – assuming that he did commit this crime, of course – wouldn’t have created the GandCrab malware himself, or even collected the cryptocurrency payments from his victims.
Instead, he’d have signed into a cloud based service on the dark web that would not only generate a unique sample of the malware for him to download but also “process payments” from victims whose files were scrambled by it.
The suspect would therefore essentially have been acting as an intermediary who took the risk of distributing the malware in return for a cut of the takings.
“Fees” or “commissions” charged by RaaS operators have typically been set at 30%, with the crooks brazenly copying the 70/30 split introduced by companies such as Apple and Google in their App Store and Play Store marketplaces
The operators of the GandCrab online service shut down in 2019 after bragging that their “affiliates” had raked in a mammoth $2 billion via the “service”, meaning hundreds of millions for the master crooks themselves:
For the year of working with us, people have earned more than $2 billion. […] But […] all good things come to an end. We are leaving for a well-deserved retirement. We have proved that by doing evil deeds, retribution does not come.
The smart money, however, was that they folded the GandCrab service simply to start up again in new clothes, because the same crooks are alleged to be behind the Revil (aka Sodinokibi) ransomware that you will have heard about many times in Series 2 of the Naked Security Podcast.
The arrest of an alleged GandCrab ransomware disseminator is therefore not quite as dramatic as the arrest of the crooks who are supposed to have run the cloud service at the heart of it all…
…but it’s a start.
Back in 2017, we went on the dark web and “signed up” for a Ransomware as a Service (RaaS) cloud system called Satan and wrote a report on what we found. To see how RaaS works, read this fascinating article now:
For insight into the ransomware situation and advice on how to prevent ransomware attacks in your organisation, please take a look at our State of Ransomware 2020 report:
The US Department of Justice just issued a press release entitled simply, “Three Individuals Charged for Alleged Roles in Twitter Hack.”
In some ways, the Twitter hack referred to, which happened just two weeks ago on 2020-07-15, was tiny.
In a world in which data breaches involving millions, hundreds of millions and even billions of accounts aren’t unusual, the fact that Twitter lost control of just 45 accounts seems, at first glance, almost inconsequential. (Estimates suggest that Twitter has about one third of a billion active users.)
But there are two reasons why that’s not the case.
Firstly, every user has the right to have their personal data protected and their accounts shielded from takeover by hackers through no fault of their own, so even one hacked account is a cause for concern.
Secondly, these weren’t just your account or my account – according to the affidavit filed by IRS Criminal Investigator Tigran Gambaryan against one of the three accused:
[M]ultiple high-profile verified accounts were compromised, including accounts belonging to Bill Gates, Elon Musk, Kanye West, Joe Biden, Barack Obama, Jeff Bezos, Mike Bloomberg, Warren Buffett, Benjamin Netanyahu, and Kim Kardashian.
As you can imagine, tweets sent out from these accounts – even if the deception were spotted quickly and the accounts locked down anyway, which is ultimately what happened – would reach a vast number of people, and would carry an awful lot of influence.
According to the indictments, those involved in the hack used these high-reach accounts to promote a Bitcoin scam that urged victims to get involved in a “two-for-one” scheme: pay in some bitcoins to Gates, Musk, West et al., and they’d pay you back double.
A number of cryptocurrency exchanges also allegedly had their accounts hacked to encourage similarly fraudulent “investments” via a website called cryptoforhealth.com.
As Investigator Gambaryan wryly notes in his affidavit:
No bitcoin was ever returned, much less doubled.
The indictments also allege numerous other interactions between two of the suspects – the investigators argue that this shows them working together to take over other Twitter accounts (ones with cool-sounding or short names, known as OGUs, short for “original gangster users”).
The investigators present evidence to support their allegations, including Bitcoin transactions purporting to show payment for hacked accounts, and instant messaging chats discussing and setting prices for desirable OG usernames.
As we mentioned above, three individuals have been charged, but we’ve only listed two affidavits against two of the suspects – the third, apparently, is under 18 and hasn’t been publicly identified yet.
Interestingly, one of those charged is from the UK, not the US, and is currently in the UK as far as we can tell – we presume that the US will seek to extradite him to face charges in America.
Well done to US law enforcement for investigating quickly and presenting their allegations in interesting and informative detail. (The affidavits linked to above are well worth reading if you are interested how this sort of crime is followed up.)
Of course – as the Department of Justice points out in its press release – these are only allegations so far, and the suspects enjoy the presumption of innocence.
We’ll be watching with interest and will keep you informed here of any developments.
