April 27, 2017
Such is the way Homo Sapiens are: we’re constantly – even recklessly – looking to the future to try and work out what it might hold for us. Many say we should all live in the present – after all, the future never comes – but, well, that doesn’t work for everyone, and most of us do need to make at least some plans for our futures.
But there are different approaches to looking ahead.
There’s belief in fate, pure guessing, flipping a coin, and so on. There’s also not thinking about the future at all. But there’s a far superior, science-based approach too. This is doing the eastern spirituality thing a bit – not quite being in the present but carefully analyzing the present instead – to be able to predict the future as accurately as possible. And this is exactly what is done to predict the cyber-future; in particular – the security of the cyber-future. And that’s what we do – little by little every day, but also broadly and deeply and especially – and merrily – every year, when we bring together the world’s cybersecurity elite for a week-long pow-wow in a tropical seaside resort, which pow-wow we call the Security Analyst Summit (SAS):
Oops – wrong vid. Here u go…:
Dough! Nope. This one:
I don’t know quite how it’s done but every single year SAS just gets better. I mean, it’s always been GReAT, but the GReATness just keeps going up and up: more experts, better quality content, better and more original ideas, slicker, cooler, and more and more world scoops and exclusive material.
And it’s exclusive material that I’ll be writing about in this here post. Specifically, my Top-5 favorite presentations from SAS-2017. I’m not saying the others were no good or just so-so, it’s just I wasn’t physically able to see them all as they were running simultaneously in different halls. Also – everyone has their own taste; well here’s a guide to mine!…
Off we go!…
This was a report from S.G. and I.S. on their long days and nights investigating ATM robberies. The layman isn’t aware just how vulnerable these holes-in-the-walls are to certain bad guys with computers. But that’s the layman; perhaps he can be forgiven. What’s remarkable is how some ATM manufacturers and even the banks themselves don’t seem to be that bothered about finding a solution to the problem; meanwhile, the scale of that problem grows by the day – today on a scale measured in billions of dollars.
Here’s one of the ways the cyber-swine emptied whole ATMs: a tiny hole was drilled into the casing of an ATM through which a connector is fed on the end of which is a special digital device that can control literally everything, including emitting cash. This is made possible by the absence both of encryption worthy of the name and system authorization. Yes, you read that right. On an ATM. It’s harder breaking into a PC; at least – it was, until we studied this crafty attack method, which led to both the authors and users of the attack method getting sent to prison.
For years, manufacturers worked hard to prevent physical robberies of ATMs, and did a good job of it too. But hey, guys – maybe it’s time to work hard on preventing cyber-robberies also?
A Maze for a Penguin Under the Moonlight.
What I really liked at this year’s SAS was the abundance of joint investigations. By joint investigations I mean those carried out by different security experts (sometimes working for competitors), developers, and police forces.
At first one might think that the IT security industry is kinda like a serpentarium, where each snake player has its own corner and is always on the lookout for how to strangle its neighbor and take their share of the market. Actually (and SAS is confirmation of this), experts’ main concern is the security of users. If you can’t quite crack something alone – ask a colleague. Nothing wrong with that; it’s just common sense – and so it’s encouraged. It’s great to see how, despite geopolitics tending to be going in the other direction, national and corporate borders in the security industry are gradually lessening in importance. And I couldn’t be happier – for only together can we conquer the cybercriminals – who are also these days very much together.
One such joint investigation at SAS was dedicated to the first known cyber-espionage operation – Moonlight Maze (1996) – and its connection with modern cyberattacks. Here we worked together with King’s College London.
I won’t go into the specifics here – there’s neither the space nor time. But here’s a link to the page with all the details; have a look – you won’t regret it: the investigation reads like a blockbuster-thriller screenplay.
3. Central Bank Cyber-Heist – Joint Investigation Findings.
Here’s another joint investigation run by KL experts and those of BAE Systems and SWIFT.
You recall the story of the $80mln+ cyber-stolen from the Central Bank of Bangladesh? Well…
After hearing about it we started to dig deeper, and deeper, and deeper, in the process unearthing all sorts of other cybercrimes committed by the same cybercriminal group. Besides, we had a good idea who was behind the central bank heist… – North Korea! However, this could only be confirmed 100% by the very folks behind it themselves (. And anyway – we don’t do attribution, remember? Besides, we might have fallen for the oldest trick in the cyber-book too: cyber-misinformation – aka cyber-falseflagging; indeed there remain a few inconsistencies and ambiguities. On the other hand, if it indeed was the North Koreans, we have to admit that they really are very advanced and we are seriously underestimating their potential.
‘A Million Dollars and I’ll ‘Own’ Your iPhone’.
Do you know how much they’re offering an iOS vulnerability for on the black market? A million US dollars.
So how much do three iOS vulnerabilities cost? Well, since this is a very rare and valuable product, they’d cost a full three million dollars. No discounts at the top end of any market – especially not this one. Still – three such vulnerabilities appear to have been purchased in one instance: the Pegasus espionage program for iDevices does use three such vulnerabilities to enable ‘ownership’ of anyone’s iKit. And you thought it was all iSecure? :)
An attack goes something like this: a text message arrives at the phone with a tasty text and a link to some resource or other. If clicked on, malware is loaded into the iDevice via an exploit, which, unbeknown to the user gets admin rights and executes the remote commands of the attacker. Pretty alarming, right? Well, you can calm down. First of all there’s already a patch been released for the iOS vulnerability (still haven’t updated? – do so now!). Second – it was only used for very specific attacks against a small number of concrete targets.
Gone in 11 Milliseconds
What can be gone – stolen – so quickly?
A drone, aka, quadcopter.
Drones these days are pretty cheap, and therefore popular. And they normally pay for themselves quickly in satisfaction with the pics/vids that can be taken via them – or pay for themselves with the money earned for taking pics/vids for a customer.
Anyway, cheap and accessible – as you might guess – does not mean secure. Far from it. Most modern drones haven’t any reliable encrypted data-transfer channels. This means they can easily be intercepted and controlled by a third party with a software-defined radio and microcomputer – in 11 milliseconds. What happens next is only limited by your imagination. Flying into restricted areas? Into the DMZ? Landing in a crowd of folks downtown?…
This investigation was interesting not only because it showed how drones can be attacked and then abused; it also highlighted the vulnerabilities of stupid ‘smart’ devices on the whole. Smart fridges and microwaves, routers, electric toothbrushes, even kids’ toys… all of it – billions of devices – all connected to the Internet and some already doing bad things. The great majority aren’t only potentially dangerous to their owners because of a lack of the simplest of security features, they’re dangerous to all those around too.
Ok folks, that’s your lot for today. Btw, you should be able to see soon all (or nearly all) the presentations from SAS on our YouTube channel.