Cyber Anecdotes: A Tale of Worms, Shared Security, and More – CF057

Share

This week on Cyber Frontiers Christian and Jim recap security highlights from the past six weeks. We take a dive into the latest security challenges facing Windows 10, review the buzz around the Capital One breach, and jump into a variety of new tech from cell phone apps to detect pump skimmers to IBM’s unusual announcement of a blockchain-based web browser. We pack interesting anecdotes on the security landscape into an hour you won’t want to miss.


Cyber Frontiers is all about Exploring Cyber security, Big Data, and the Technologies Shaping the Future!   Christian Johnson will bring fresh and relevant topics to the show based on the current work he does.

Support the Average Guy: https://www.patreon.com/theaverageguy

WANT TO SUBSCRIBE? We now have Video Large / Small and Video iTunes options at http://theAverageGuy.tv/subscribe

You can contact us via email at jim@theaverageguy.tv

Full show notes and video at http://theAverageGuy.tv/cf057

Podcast, Cyber Frontiers, rdp, security, Microsoft, blockchain, updates, Windows, Crypto, vulnerability, exposed, skimmers


Microsoft Security August Roundup:

https://www.zdnet.com/article/microsoft-august-2019-patch-tuesday-fixes-93-security-bugs/

https://www.informationsecuritybuzz.com/expert-comments/microsoft-warns-of-new-bluekeep%E2%80%91like-flaws/

Capital One Data Breach:

https://www.capitalone.com/facts2019/

https://www.usatoday.com/story/tech/talkingtech/2019/07/30/amazon-aws-unit-says-its-not-responsible-capital-one-data-breach/1868862001/

https://www.usatoday.com/story/money/2019/08/18/2019-on-track-to-become-worst-year-ever-for-data-breaches/39963021/

New Cyber Tech on the Frontier:

https://krebsonsecurity.com/2019/08/meet-bluetana-the-scourge-of-pump-skimmers/

https://krebsonsecurity.com/2019/08/the-rise-of-bulletproof-residential-networks/

https://www.wraltechwire.com/2019/08/13/a-blockchain-based-web-browser-yes-says-ibm/

 

Jim Collison  [0:00] 
This is The Average Guy Network. And you have found Cyber Frontiers, show number 57, recorded on August 19 2019.

Here on Cyber Frontiers, we explore several big data and the technologies that are shaping the future get questions, comments or contributions, you can always send us an email Jim at the average guy.tv. might be more. It might be faster if you just send it to Christian he says Christian, the average guy.tv. And he does monitor that account. You can find me on Twitter at j Collison and Christian is at Borg whisper, the average guy TV course powered by Maple Grove partners get get secure, reliable, high speed hosting for people that you know and you trust. For more information, check out Maple Grove partners.com. Christian, always great to have you back on cyber frontiers. Welcome back.

Christian Johnson  [0:57] 
Yes, it’s good to be back. We were just commenting in the pre show that we’ve had verge to ripe two months on the.so. You know, not the best in the world, but

Jim Collison  [1:06] 
could be worse, right? June, June 19 was the last podcast I’ve kind of, I’m kind of just resolved. It’s like, you know, month and a half, two months, that’s okay. We’re just storing up the stories. I don’t think we had to work really hard to store up the stories today, because there’s always in you know, six or eight weeks, basically weeks, there’s always enough things going on out there. It’s not like all of a sense, like, oops, everybody is secure. That’s not all we talked about. So you know, there’s some some other opportunities there. But Christian, we got a bunch of stories. What do you what do you think you want to lead out with today?

Christian Johnson  [1:45] 
I don’t know. I feel like probably on the time horizon, people are just coming off the heels of automatically being rebooted for some more mobile, like viruses and or that’s a contradiction, but or is Microsoft’s RDS protocol. So it’s kind of interesting to me, we can quickly recap it essentially, to known CV ease against something that had originally come out in May. That was coined blue keep, and essentially their protocol, their protocol vulnerabilities in the RDS component themselves. And they’re all remote code execution, which is super exciting. This is what you know, in part makes them wearable. And you know, it’s bad when even things going back to Windows XP, we’re getting patched vulnerabilities for related like incidents that Microsoft had, we can quantitatively assess how bad of a month that was at Redmond this month by the fact that August security release was 93 updates for Patch Tuesday and August 2019. And those were 93 security bugs, not features or other reliability or, or feature happiness for you that was just plugging the holes and a sinking leaking faucet ship.

So pretty interesting.

I’ve been deploying most of my windows and environments at this point to delay feature updates for as long as possible and only take the security updates. So pretty much the only time I reboot in a fast like manner is when it security channel update. Look, this comes out. And yeah, definitely wanted to get it patched and get it rebooted. Otherwise, I try and stay as far behind the feature chain as possible. We’ve seen repeated cases where that’s gone really badly for people. Especially related to you might have to fill in my memory box here, Jim. But some one of the updates that came out recently, basically fixed some things and in turn broke a lot of other things, including the ability to launch Visual Basic scripts, which sounds like an old monolithic dinosaur until you realize that most of Microsoft Office on your desktop is one giant, monolithic scary backend Visual Basic like thing. So when you want to run that macro and your Excel doc command, and you can’t run your Visual Basic, whatever. Probably not going to work out for you. But also there’s there’s other core services on your operating system, and com applications that are very well known for using Visual Basic scripts in the legs. So the fact that that functionality just kind of went out from under the rug was pretty interesting. Getting back to the blue key vulnerability itself really quick. Essentially, it’s a a classic, keep overflow type vulnerability where in this specific instance, they’re playing around with the data channels and RDS protocol. So you get, you know, X number of channels for data, X number of channels for pixels, etc, etc. And what they were basically able to discover is that if you change the mapping of what is going over particular one of those channels, you’re you’re able to get that heap to overflow and get into the remote executable territory. So that’s the vector in the front door. Pretty common vector, I would say, somewhat creative that someone is going back and playing with data channels. In the RTS protocol. I mean, keep in mind that, you know, RDP has been around very, very early in the Microsoft operating system stack. So it’s pretty interesting that we’re seeing the types of vulnerabilities we’re seeing now is in stuff that’s been like, ancient, but still modern Lee, maintained and updated, right. So RDP is a very classic example that you can go back and get RDP, as early as Windows NT four, I think, definitely by Windows 2000. So you’re talking close to a 20 year history of the protocol being used in enterprise production, and many, many different versions of that software over the years, all relying on the same fundamental improvements of the original RDS protocol. So pretty interesting, I would send them order of magnitude of scary, this is a moderate high, leaning more towards the high than moderate, especially because it’s it’s remotely executable, especially because it’s not really clear to me that you can do updates safely anymore in the Otter operating system and come back to a state or everything works. And, you know, additionally, I think, to Microsoft credit by having the security channel, so the way that they do for Windows updates, more or less, if you’re using the latest approved Microsoft cookie cookie cutter environment, you’re going to get that patch pretty fast. It’s not clear that there was any ability to leverage this in the wild, which is a great success story, because it could have been pretty damaging. But the original scan of it, I suppose from 250,000, public internet, internet facing assets, suggested about 0.36% of the internet would be exposed to these vulnerabilities. So this is pretty small in comparison to over 3% that were exposed to the original blue keep disclosure, which came back out in May, targeted operating systems through windows eight, I want to say I don’t think that one included 10. And, again, larger blast radius in terms of what it would have impacted. So pretty, pretty interesting. It reminds me in some ways of

classifying it, similar to our other ransomware has spread. This obviously isn’t ransomware. But certainly, it would be a very convenient vector for someone to use an RC like this to load ransomware on a machine. So definitely the warm mobile aspect here resonates pretty well with some of the other ransomware we’ve seen. But also there’s plenty of security experts that are saying now that Windows Defender as its iteration and Windows 10, with all the cloud based AV that goes on behind the scenes, it’s actually one of the best anti virus in terms of just performance and defense is in the windows ecosystem built in. And that includes the ransomware checker that’s now a part of Windows Defender. So I would say the security system ecosystem for the average user here is definitely evolving a lot in Windows 10 for the better, while at the same time, we’re seeing what seems to be like a increased rate of just vulnerability or disclosure, one after another. Definitely 93 security bugs and a one month patch. Update release cycle is not a great headline. It’s going to be interesting to see if that rate levels off any or continues to be where it’s at right now.

Jim Collison  [9:39] 
Yes, it sounds like somebody’s got really active. You know, it’s kind of like, like all of a sudden, I mean, I haven’t seen that many and I it every month, there’s quite a few. I mean, I think if you go back, it’s not it’s not unprecedented to be in the 30s 40s and 50s of things that are found. Canada ask this question. Out in the chat room. He says who discovers these? Does Microsoft I have a white hat team. I’m sure there’s researchers that disclose but how does that work?

Christian Johnson  [10:04] 
Yeah, absolutely. So you can kind of imagine there are dedicated teams that are dedicated to doing red team like stuff in a authorized kind of secure manner, especially when it comes to looking at things that are that have that large blast radius impact. So for example, US cert, which is a sub department of DHS has dedicated people that are focused on discussing and searching and working towards finding these types of vulnerabilities. Then you have your response organism stations, like an SRC, which is Microsoft’s security Response Center, that when they get a report from something like us, or whoever the originator is that discovers it, they’re able to then research and validate the validity of that statement. So actually, the original blue keep security vulnerability that that the This one is quite like, was first found in the UK National Cyber Security Center and then reported to Microsoft. So it was named a blue keep by the security expert who found it Kevin Newmont. And, you know, obviously, it was given a CV when there’s public disclosed, but there’s, you know, a national organization behind it, in this case in the UK that disclosed it. These folks are dedicated to doing this type of research on an ongoing basis. And both Microsoft and NSA contributed to the analysis, NSA posted it advisory, the cert Coordination Center posted advisory. So there are other organizations, both governmental organizations and private research firms that are constantly evaluating the security posture of these things, and then hopefully, respond, disclosing them as soon as possible. Then the CV comes, the CV comes out, and by the time that embargo is lifted, you have your security patches ready to roll and Microsoft’s they’re saying, hey, reboot your computer now, so that it can’t be exploited in the wild?

Jim Collison  [12:14] 
Yeah, yeah. Not a non zero day is the best. The best policy to have their right. Yep. So Joe mentioned, he says he’s running, he’s come across clients with Windows servers with public interfaces, RDP enabled, if I’m the average user, and I have not exposed RDP, to the internet, so to speak. So I run RDP here, but I just use it in bits on my own network. So I can log in, I’ve got some servers that are on the other side of the room, and I just went along, and I’m assuming I’m okay there, or do I need to be worried?

Christian Johnson  [12:46] 
Yeah, absolutely. So really, in that part, that part partly measures into that statistic about 0.36% would have been directly impacted by this on day one, there’s a really big difference between when you run a server or RDP, that’s bound to a public IP address. And when you’re running RDP behind a gnat gateway with some restrictions on it, right. So for example, if you’re already paying from one computer in your house to another, chances are, you’re doing that over the local area network using local DNS local IP address space, this isn’t going to be a problem for you unless you have a malicious actors sitting in your bedroom or sitting in the street trying to Road Warrior Wi Fi. Absolutely, though, if either through net port forwarding or directly bound to a server with public IP address, you are exposing the RDP port, that immediately puts you at increased risk in general, I mean, regardless of if there’s an RCT or not, especially if you’re not protecting yourself from brute force of weak password. So there’s this element of how strong is your organization’s password security policy? How many attempts does he user get to login and your organization before that account gets locked out and suspended. So if you’re running like a small business like environment, where a you’re not auditing what connections are getting open 23389, which is where RDP runs to, you’re not enforcing any kind of credential policy or lifecycle policy on login attempts, and three, you’re not doing audit logging, and access control re remediation to ensure that only the proper people are using those credentials over that port. If you’re really going to expose RDP services over the public Internet, you absolutely must have very strong audit compliance, very short credential attempts and taking a serious look at to four forms of two factor authentication, which by default, if you’re a small to medium business, and you’re just trying to use the regular RDP, gonna be a little bit hard to do, right, you have to build in some authentication architecture behind the scenes and kind of build out your enterprise stack, so to speak, in order to support a two factor like authentication over your ad infrastructure through RDP. So depends what kind of organization what you look like, certainly, if you think about something like server Central’s or, or Windows, home server, any of those types of environments where Remote Desktop is basically vented over a security gateway. So that’s a whole different thing, where essentially, you’re first connecting over an SSH tunnel to an HTTPS like website domain. And that is basically then proxy the RDP connection for you. That’s a different scenario, because you’re not exposing the RDP protocol and port directly on the internet, you basically have to log into that website, First, download a file that allows you to open a gate and a RDP gateway. And then once you’ve brokered that connection, you’re definitely one step removed from the problem. So you’ll see a lot of enterprise organizations have some kind of remote access gateway provided by Microsoft technologies that helps you do all those things I talked about as best practice when you’re going to go to RDP on the public Internet. But certainly, I’ve seen it, a lot of other security engineers have seen it. There are plenty of organizations today that put like personal computers, and also public servers, and otherwise, they plug them in the wall, they don’t realize that’s public IP space, they don’t necessarily realize what type of angles are in place on those network switches. And they may be inadvertently exposing that RDP port without even knowing it. And then you’re at the mercy of your local Windows operating system or server operating system to defend against that. And that’s the last that’s like the worst place you want to be. If you’re getting all the way down to the actual thing that you’re going to connect as a destination and RDP. As your last line of defense, you’re missing probably five to 10. Things in front of that to keep that connection set. If

Jim Collison  [17:12] 
Christian, if I were if I had virtual servers on Azure, AWS, so to speak, I’m running Windows are those exposing RDP or to just depend on how it’s set up? To begin with to get access to those?

Christian Johnson  [17:26] 
Yeah, absolutely. So if you spin up an AWS instance, and it’s a Windows type instance, definitely you’re exposing the RDP port. A couple interesting things to note on, there’s a certificate involved, so you can validate that the port you’re connecting to is what it says it is based on the certificate that’s bound to that easy to instance. Secondly, the passwords that are generated are very strong, very long, and scope to specific accounts. So you should shouldn’t find yourself in a situation where someone could be brute forcing your RDP very easily, because it’s a very strong password. In addition, the only way you can retrieve that password after you initially launcher instance is essentially to secure it with a SSH key. So what that means is you have to upload a pen file to easy to that basically says hey, retrieve me the windows administrator password for this instance, I can then use that with RDP. And third, when you spin up an easy to instance, you control what VPC goes into, and you control whether or not you have a floating public IP address that’s bound over that VPC. So if your enterprise organization and you’re spinning up and down EC two instances, you should be looking at what are your default VPC security settings and what sub nets or IP address ranges Am I allowing to connect to that three through eight nine port, definitely not recommended to just leave it open to the world. Certainly, if you do, you’re probably in a little bit better place than some organizations. But you’re pretty much right off the bat, you have the opportunity to secure that VPC with the correct inbound firewall rules such that you should only you should immediately be able to block out 90% of the noise just by having only your organization and your organization’s IP addresses be able to hit that port. And then the rest of it you’re leaving to that strong authenticator and strong access retrieval.

Jim Collison  [19:30] 
Trying to think back to my Azure days when I had when I had Azure access to my MVP credentials. I think I would need to I could spin up an instance in RDP or you know, a box, whether it’s a server or a desktop. And of course, I’m connecting to it that way. But I would have to, I can’t authenticate through Azure to be able to get to that box. Get in and login use password on that one there. I am assuming and Joe says also a VPN plus RDP, right? And it was, as we think about another way of, I think he’s referring to another way of thinking about this. But I’m assuming like on the Agile side, that it’s kind of add that extra layer of security, because I’m logging into the website and creating a portal, you know, I’m having to log into their portal, which is creating another credential, it’s doing its thing, then allowing me to access RDP, certainly, these are not going to be if I have an instant spun up on Azure, these are not going to necessarily just be automatically exposed to a public IP. Right? Am I am I correct in assuming that?

Christian Johnson  [20:32] 
Yeah, I actually I can’t speak as well to Azure as as the AWS environment. But I will say that at the end of the day, and easy to instance, or I’m sorry, Windows, Windows box as a virtual machine, a Windows VM is a Windows VM. So once it’s provisioned, and I have access to it, and you as a cloud provider, supposed to allow me to configure my network, however, I want it to be configured, whether that’s secure, insecure, or otherwise, you should eventually be able to get to a place where your Windows Azure based instance, has direct access to expose the RDP port, if you’ve configured it that way, I just don’t know what out of the default out of the box looks like for an Azure Host.

Jim Collison  [21:19] 
Yeah, I got lucky. Why shouldn’t say lucky. So I was out of town this week, and this patch came out doesn’t matter. I’m not running that here. So I’m not necessarily that footprint. I don’t, you know, I don’t use remote desktop to access my computers from outside. So not a problem there. But all of them took the update. So I left early Tuesday morning, and all of them took the update rebooted, and then got went right back into where they were supposed to be, you know, I’ve got things running on them for for crypto purposes. And they went right back to work. So whatever I did, I’ve configured and finally, I configured my desktops, that when they get an update, reboot, I’ve got some software, you know, that restarts everything after, you know, there, it’s set to restart after a crash. But a reboot to them as a crash. So fires back up, logs back in to finish the updates. Because it’s log back in and fires back up the the the executable that I had running, and everything came back up. It was funny, Ken, who’s in the chat room, sent me a note and he was like, hey, it worked. As like sweet, three boxes. All three rebooted, it worked out pretty well for me. Not being here. So. So that was a great thing. When we think of team viewer then to you know, T. Ken, who I just mentioned, said in the chat room. So team team viewer for the win in this case. And is that really the right thing? There are things we need our dp for Right. I mean, people rely on that or maybe they just want to don’t want to be beholden to Team viewer.

Christian Johnson  [22:55] 
Yeah, team viewer

Jim Collison  [22:58] 
had their own problems. I

Christian Johnson  [22:59] 
yeah, this is convenient timing actually.

So unlike the last week, team view well, so TV is owned by Microsoft now. So of course, all good things. Oh, yeah. All good things, I believe. So let’s let’s make sure before I speak, on air, but I believe I believe team here has been owned by Microsoft for quite some time.

But any case, all all good things. How you might be right. I don’t know.

Jim Collison  [23:28] 
It says Durham, the JI software owns the Durham North Carolina based company GFI software acquired a majority stake in team viewer in 2010. didn’t have anything hold. You keep talking. And oh, yeah.

Christian Johnson  [23:41] 
Yeah, so someone’s gonna have to edit this part. No. So

you know, essentially,

in the last two weeks, team viewer has told me that I am a quote, commercial user, for attempting to log back into my desktop 3d viewer. I mean, I’ve been power user team viewer for quite some time. Clearly, those days are waning. I’m not really interested in fighting a technical word with Team viewers support about their commercial versus non commercial use policy. I know I’m not violating their terms of service, but their automated system disagrees. It really only takes connecting from one set of IP addresses or sources that they associate with something being commercial. For you to start having problems with, with the viewers of a latest edition of team here is very aggressive when it comes to how it constitutes your connection is being commercial versus residential versus for profit versus not for profit. TL Dr. I think team viewer is probably for the average guy, at least on the waning path, if if team viewer continues this trend with with their service usage metrics is probably on the waiting path for not being super reliable for a power user like myself. That said, probably still a good solution for the time being for most who are not running into this issue. But you can go read pages and pages of threads on the team for your community forums, if people who are coming up with this commercial usage issue. And again, it’s not the fact that you’re necessarily using it commercially. They look at how you’re connecting to and from. So I’m personally I’m getting to a point where there’s not a value proposition anymore. Definitely used to offer provide a lot of values of free service. I think other things like Chrome Remote Desktop, or going to went out, which makes me cringe, because what do I want to do but turn around and advise people to use more Google Google products. But here we are so not clear that there really is a front runner when it comes to I’m going to average guy that wants to do average things but wants to have remote desktop access doesn’t want to pay an enterprise license for it? Because that’s not what I’m using it for. That’s getting a little bit trickier. I would say then, then where we were a couple years ago, I thought we were past that. But I’m not convinced we are

Jim Collison  [26:17] 
can Ken says Chrome Remote Desktop has gotten much better in the past eight months for him. And he’s been using that. But again, there his you know, it’s interesting, I’m hearing more and more Skepticism on the Google side. These days, they used to be the darlings and and everybody rushed to them. I mean, think about the chrome adoption and all those pieces. But But boy, boy, there’s cracks in that infrastructure over there. On the TV or side they are, they are a German company. They’ve had two outside investments. Since 2010, the Durham North Carolina based company, GFI software, acquired a majority stake and team here in 2010. And then the London based private equity firm of a premier took over GFI steak on TV or in 2014. That’s right from there, ever so accurate Wikipedia page, interest is place to find it. So I don’t disagree with you, Christian that they have gotten more vigilant and aggressive on requiring I somehow I’ve been using it sneaking through a little bit of their web client. So I don’t actually have it installed. But I’m using their web client, I’ve got a few computers that I still access that way that I’ve gone through, pull them up, use them and I have not gotten that message. So seemingly on the website, if you’re connecting that way. It’s a little less aggressive. I’m going to notice as I’ve been doing it a bunch, I haven’t got any notices from them on their from their client. That’s really where you get it right, that client piece. And so I don’t know if that’s a loophole in there or what, but when I when I need to get my mom’s computer a little bit. I can do it through the web client on my side. She’s got a version installed there. And I can connect to it and remote control just enough to get it done. But you’re absolutely right. It is kind of messy Chrome, you got to worry about Google a little bit. There’s a really well I guess, LogMeIn? Is that probably the other one that’s out there.

Christian Johnson  [28:20] 
And I don’t think they’re fully.

I don’t think they’re fully a free service either in the sense that I know they pretty sure they have many different commercial additions of their product. So

Jim Collison  [28:32] 
yeah, well, LogMeIn has also been a company that’s been bolted together like Frankenstein. So there’s a bunch of different companies and that were put together to get that done. So for for most, as we kind of wrap this story up, for most unless they’ve got a server that’s being exposed to a public IP address. They’re using RDP behind their own firewall using public using private addresses, right, one seven before when 92 something along those lines. In this case, they patched you’re good. shouldn’t have to worry about it to this point, it would that would that be a correct assumption?

Christian Johnson  [29:09] 
Yeah, pretty much if you if you’ve done

your windows patches and your your rebooted, you’re pretty much good to go.

Jim Collison  [29:18] 
Okay, cool. I think that’s I think for most people, I think the question is, just make sure if you’re blocking updates, for whatever reason, and you’re in that situation, we’re using RDP, and any you should do this anyways, get out there and get those 93 updates from last week. get that done. I think maybe burying the lead a little bit. Christian, of course, was the Capital One breach from a couple weeks ago. I think it’s I think it’s important that we’re super clear on this one right. In and then we’re super clear about why we’re talking about it, it was a breach. It did affect people, we talk about that here on the show all the time, I’m gonna let you I want to, because of because of the nature of what you do and your work, I want to make sure we handle this correctly. I’ll let you talk a little bit about let’s get the disclosures out there. So folks now, as we’re talking about this, but give us a little bit of what happened and maybe why it happened.

Christian Johnson  [30:16] 
Yeah, so the the high level summary is that Capital One reported a data breach disclosure of about 106 million or so records, I believe in their credit application. service. So particularly when applying for a new credit card or a credit limit increase, they collect data, like your name, your address, information about your income history, your credit worthiness, etc. Essentially, Capital One is a huge customer of cloud. They’re a large customer of AWS. And so when this breach got disclosed, I was reported in public news that essentially a former AWS employee was involved in leaking this data on the internet, right. So she was arrested by the FBI in Seattle, turns out about a week ago that she’s also connected to over 30 other instances of exploiting different companies data. So she seems to have a pretty large track record here. The thing to get really important, like crystal clear on here. And because I’m speaking in a personal capacity, not representing Amazon anyway, I will just read what Amazon said in their press statement and leave it at that, which is that quote, AWS was not compromised in any way and functioned as designed, the perpetrator gained access to a miss configuration of the web application, and not the underlying cloud based infrastructure. As Capital One clearly explains, in its disclosure, this disclosure, this type of vulnerability is not specific to the cloud. So really important here, this kind of drives home something that maybe we haven’t talked as much about on this show, but as really, very much at the front and center when we talk about shared security models. So the cloud is the central nexus of the shared security model. The model basically asserts that both parties coming to the table must provide secure secure solutions. So the underlying infrastructure and the basic building blocks that a cloud infrastructure provider like Amazon, or Microsoft, or Google provides, you should be inherently secure, widely configurable, able to meet customer needs and expectations, you compare that with, you compare that with what the customer has to bring to the table, which is they’re allowed to use these fundamentally secure building blocks, they must be responsible and how they configure them, their application must be secure on top of that secure cloud infrastructure, right? So if I’m a web programmer, and I buy a virtual machine and cloud company infrastructure, and I want to run a website, that’s great. If I code a bad PHP plugin, for example, on my WordPress instance, who’s responsible for that? Well, the developer who wrote the bad plugin that’s running on otherwise secure infrastructure would be responsible in that case. But let’s say, I am a PHP developer for WordPress plugins. And I wrote a great plugin, and I deploy it in a cloud infrastructure environment where customers are able to have their data leaked out by some type of remote execution vulnerability that takes advantage of bad file permissions or bad security model on the virtual machine where that web server runs. Well, yeah, then my cloud provider would be responsible for that, right? So both parties must come to the table with a security driven policy, if if any one fails both fail, right. So in terms of the overall did it work, or did it not work? The outcome is it didn’t work. When we talk about assigning blame, or doing a risk audit analysis or root, causing these types of failures, there was nothing here in this disclosure that said

AWS XYZ component was insecure in some way. And that to why the Capital One breach happened, it was very much know, there was a known Miss configuration that was part of the Capital One ecosystem within this cloud environment. And that’s really what’s being focused on is this disclosure. At the end of the day, if this was removed from a conversation about shared security model, and there was no cloud provider at all, it was just capitalone running on their own data centers, and they had this kind of disclosure, it would be pretty much the same level of severity and impact to customers as it is today. Right? So the fact that this happened in a secure cloud environment, same impact as if this had happened in capital, one’s secure data centers, right. The impact was those 106 million people, some type of PII disclosed no social security numbers from what I recall, or if there were, it was a pretty small percentage of that hundred 6 million. Obviously, Capital One prides itself on being a technology company as a bank. So for them, they did the right thing and how they followed the disclosure, how they responded to the incident, like I thought it was pretty professional, how they responded to it. Ultimately, at the end of the day, not anywhere near the type of consequential data breaches we’ve seen in the past few years. So yes, this generated a lot of buzz, because it’s a bank. And then you see a big cloud provider, and you see all these things coming together under one umbrella headline, and it seems like some major security event. But there’s a lot of data here that should make you feel like, this isn’t as big as what it was hyped up to be.

Jim Collison  [36:06] 
I think the interesting thing, as I as I watch this unfold was not the organization or the cloud provider, but the hacker themselves. Like it was super comical how she had boasted about this on Reddit or

Christian Johnson  [36:24] 
forum, she has something going

Jim Collison  [36:25] 
on being very,

Christian Johnson  [36:26] 
kind of I mean, not, I mean, and caught fairly easily. It was not I believe she pretty much rolled over and admitted it as soon as the FBI came knocking. So I don’t know what that tells you Really? I don’t

Jim Collison  [36:40] 
know. super interesting. I think it says I mean, it’s I mean, if there’s, you know, you’re going to be going to be a hacker, you probably got to be a little more, you got to be a little more careful. Or maybe a little sneaky, then that sounds like a pretty, fairly easy based on our inside information, a fairly easy exploit without a lot of necessarily hacking going involved. Maybe some insight knowledge of some things helped out. And that’s not I mean, I don’t know. So I think this is there, there there. I think they’re going to throw the book at or in a lot of ways. And they’re going to make an example of this in even more. And so I think it could be interesting to follow this through through the court cases and to see what It’ll take a while probably for to get all the way through. It is when we think about banks, and and we think credit with with the recent credit hacks that have gone on with Experian and such, there is a little bit of fatigue for the consumer to be like great, another free year of credit protection, because they always offer that right. Yep, on things like this another free year credit protection, but that in an offer and I think in an offer to pay some retribution if if their credit is indeed used fraudulent lane, you got to do a lot of work and experience case like it was almost impossible to show the proof that something did happen to you to be able to claim that right that on the on the heels of this happening, experience has settled as well, right. And they have said, okay, you’re going to get 125 bucks or something like that.

Christian Johnson  [38:15] 
So so that one’s actually interesting, because the way that works, there is the way they did the class action lawsuit for Experian, there’s kind of two buckets you fall in, if you don’t have existing credit protection, meaning like you weren’t impacted by some other breach yet, or you already pay for credit protection, whatever it is, I think you must take the one year free credit protection that Experian was offering if and only if you already have a credit protection monitoring service, which is true for many of us, then you’re entitled to the payout of $125. That catches the more people that know about the class action lawsuit. And then the people that qualify for the cash payout election, instead of getting the free credit protection. That hundred $25 per person amount whittles down, right because the settlement is for a fixed pool of money. It’s not 125 times the number of people that show up eligible, it’s no x millions of dollars divided by the number of people that show up. So like by default. Yeah, that was probably $125. But then it went viral. And everyone was like get your free paycheck. We have people on Capitol Hill actually tweeting, get your free paycheck, with respect to the experience, disclosure, leave that for what it is. So at the end of the day, maybe that’s like $5 in your pocket, maybe that’s a cup of coffee at Starbucks, I don’t really know. Certainly sound, it certainly sounds like it’s gonna be a lot less bigger than, you know, a nice little hundred $25 check showing up in your mail, which quite honestly wouldn’t be an all that unfair price for the level of neglect associated with a one one of the tri state credit bureau applications kind of failing at their primary mission and beautiful as

Jim Collison  [40:06] 
well. And, you know, for the last 10 or 15 years or so, you know, there’s just been an assault on that kind of credit information, whether it be social security number, like I’m pretty sure my social security numbers public, like at this point, or email addresses? Well, I know my Yahoo account has been compromised about 16 times already, it’s really just a spammer account at this point. I you know, I send things there that I don’t really you know, for for mailing lists and things like that. The I mean, not my public of my where I live, pretty public. You know, so it’s, it is one of those things, I think, and I thought we would have done this by now. But I think we need a new system, like we need a more secure way of identifying people of that of it being you know, those transactions being qualified, and you know, it almost like I need to factor before any kind of financial transaction is allowed for me in anywhere, and you know where I can, it’s going to notify me and say, and I know, that’s what this credit protection stuff supposed to do, but doesn’t seem didn’t seem to be working. And I feel like we’re going to need a new financial system of some kind, you know,

Christian Johnson  [41:20] 
I just think, or people are just going to become very comfortable with the part where things once public are now or once private or now just public news. Yes, tech them.

Jim Collison  [41:30] 
Yeah, well, but I think before I lend out money, or before I allow transactions to happen, we got to come up with a better authentication system that doesn’t require some of those things that are public or whatever. And because it’s still happening, I mean, people’s identities are still being stolen in a ridiculous rate, and doesn’t seem like it’s as high profile as it was, at some point. It seemed like there I saw some ridiculous numbers there of saying the number of people every year that was being done. I haven’t heard that in a while. So maybe it’s slowing down a little bit. I don’t know, maybe we’re kind of figuring it out. But I think we’ve got a little bit I think we have a little bit of work to do. And I’d love to see some innovation around this idea coming out of the tech sector to say, Hey, here’s a way, you know, here’s a way for that to be secure or more secure in some way so that that transaction, whatever it is, is absolutely, you know, qualified some way. However that is I don’t know. I don’t know how we get anything else you want to add to that?

Christian Johnson  [42:31] 
No, I think that’s that’s pretty, pretty good summary.

Jim Collison  [42:35] 
I love the name of this next one blue Tana is that. So meet blue Tiana, the scourge of pump skimmers?

Christian Johnson  [42:44] 
Yeah, this one’s actually kind of interesting to me for two reasons. I’ll probably one. Yeah. But one is that people, like cared about this enough to make an app. I think that’s pretty cool. There’s some caveats I have to it. Like I’m trying to envision like, you know, your average Joe being like, up, let me pull up my app and scan the gas pump before using it. I think it’s kind of cool, though, from a research perspective that, you know, someone just went into this. Of course, it’s a computer scientists from university that did this thing. So kind of fits that research the prototype be,

Jim Collison  [43:25] 
but this is what I’m all about, like somebody cared about a problem. It was like, dang it, I’m going to come up with a computer science way of fixing it.

Christian Johnson  [43:32] 
Absolutely. Now, I will. I will say that the the intriguing aspect of this is that I’m increasingly as a customer only choosing to shop at gas station pumps that support Apple Pay. So this actually turns out to be Sunoco, which most of us know co pumps in the DC area, you can just put up your phone and Apple Pay. So I have to worry about a card skimmer and that’s pretty awesome. So while this is cool, it seems like the answer is still clear, which is get away from magnetic strips. And these problems go away. So yeah, this, you know, the skimmer detection. That’s a cool project has applicability to detecting other types of Bluetooth intrusions potentially, but I think the longer term horizon here is, we know of more secure authenticators like NFC Based Payment Systems. And we should use

Jim Collison  [44:27] 
so for those wondering, Bhutan is in new mobile app that looks for Bluetooth based payment card skimmers hidden inside cash pumps, it’s helping police and state employees more rapidly inaccurately locate compromised fuel stations. This I think is the important part, maybe not necessarily Christian just for you. But in identifying or even you know, you could kind of think you know, your local quick trip or name the gas station, right? Could be like, I maybe I’m going to check every once in a while to make sure something hasn’t been deployed on my own card skimmers or my own credit card devices. A study released this week suggest data collected at the course of the investigation also revealed some fascinating details that may help explain why these pumps cameras are so easily so lucrative. Yeah, because people don’t check right then you have being used by agencies in several states, the brainchild and you mentioned this computer science, from the University of California, San Diego and Illinois, Urbana, Urbana Champaign, who say you developed a software in tandem with the technical inputs from the US Secret Service. Who was called into investigate these rings. This has been a problem, right? I mean, it has been, it has been a big problem in an app for either law enforcement or the gas station owners themselves to check their pumps. I mean, certainly, there’s gotta be some financial incentive from both the credit card companies, the gas stations themselves and law enforcement and be able to check these pretty easily. That sounds like a turns every phone, right? Any Bluetooth enabled phone into a kind of an ID checker with the same hold true with an ATM, maybe that’s been compromised as well.

Christian Johnson  [46:02] 
Potentially should be the same class of stuff.

Jim Collison  [46:09] 
Yeah, no, I thought it was cool. That’s, this is the one like I really liked this app. Because I was like, I can’t imagine this would be me, I would I download it, use it. And then I would always just, I would start driving around trying to like, in the old days when people didn’t secure their Wi Fi and it was this is easy. And you just wrote away or I think is what you call that where you just pull up in front of the curbs would be March I remember those days, right? Yep. And nobody really cares about that anymore. But for a while, because you could do it you would write this is another one of those things that I would probably put on my phone and for a weekend drive around all the gas stations here in Bellevue. Just see. Right, if any of them show up on it. So it sounds a little Robinhood ish. Right from that. From that standpoint, so cool. Anything else on that one?

Christian Johnson  [47:01] 
Yeah, no, I think that’s that’s good for that one.

Jim Collison  [47:03] 
Um, speaking of that of roadway or it’s not what they call that what they call it in the day where you would they would you could mark thing? Yeah.

Christian Johnson  [47:12] 
I think I made that one.

Jim Collison  [47:14] 
Yeah. So anyways, the rise of bulletproof. These are all Krebs on security articles. By the way, we’ll put the link to them in the show notes, as we kind of wrap things up here will cover a few of these but the rise of bulletproof residential networks, is that even possible?

Christian Johnson  [47:28] 
Yeah, well, so it’s kind of a misleading title, actually, which is part of the reason why I love the article. But it really dives into something that I’ve seen in my own infrastructure and have been kind of intrigued by, which is that there’s a high value premium on being able to make a bunch of requests on the internet in general, or send a bunch of traffic that A is not attributable, be can be blocked or stopped over time, because see, you’ve diversified the sources of where the traffic is coming from, to the point where it’s not like, you’re going to block an IP address, and the problem, problem is solved, right, it’s going to be drips or, or, or bursts of different traffic coming from a bunch of different places at once. And you’re not going to have a human being involved in trying to intervene and control all of that. And the article goes to talk about this new internet provider in Maryland called residential networking solutions I’ll see. And they’ve basically bought up a bunch of previously owned IP address ranges from like, cell cell phone companies. So they’ve bought old blocks from at amp T, from Verizon, from Comcast, etc. And they now have more than 70,000 ipv4 addresses in their little arsenal of the this resonant network. And its most like a, in a way, you could think of it as like a black hat, highest better type network where people are selling access to be able to get on and use those IP networking spaces for whatever they want it to be, whether it’s boxing or shoe buying, or pushing your own online Ponzi scheme, like whatever the flavor of the day is that you want to do that, you know, the most part, automated machines are going to catch up with you pretty quick, if you do it from a small set of addresses. This is like a premium commodity to be able to get access to this huge range of IPS that even more so don’t even look like data center addresses their residential looking addresses. So you know that right, there is something that will start throwing off a lot of automated defense mechanisms. So, you know, one of the little advertisements that Krebs quotes, in his article is talking about someone who’s advertising seven day quote, trial access to a IP address pool of 1.2 million addresses. That’s absolutely devastating, especially if you’re smaller, medium sized business, and you’re going to if you get profiled and targeted, and your the attack operation coming for you is coming from something like that, good luck defending against it, right? Like it’s Yes, you can block out all of that resonance, subnet, etc, and start allowing back in over time. But these types of things are incredibly disruptive to day to day business operations to tuning whatever automated algorithms and intrusion detection prevention systems are out there trying to help you with this problem. So I was really kind of intrigued by it mostly because, you know, bulletproof residential networks makes it sound like I as a residential customer and getting some increased security and reality. It has absolutely nothing to do with that.

Jim Collison  [51:05] 
It’s actually the opposite. Right? Yeah. In that case. And so blocking that you mentioned this, but just blocking if you’re having that. Is it a block of numbers that I could invalid theory block, but because they’re so diverse? Does that get extremely difficult?

Christian Johnson  [51:22] 
Yeah, in theory, if you knew that you are getting targeted, and a lot of the addresses were coming from things that were registered in the Aaron database to, to, you know, this residential networking solutions, LLC. In theory, you could then run a query that looks up all of the,

Jim Collison  [51:43] 
like

Christian Johnson  [51:44] 
subnet IP blocks that they own and just block the entire cider blocks for that for that particular ASN. But, again, that gets a little tricky, especially if they’re a lessons are owned under multiple different, you know, shell entities for lack of a better word.

Jim Collison  [52:06] 
All right. things to look out for. I think we’re at our time, anything else you want to add in Christian by that hour goes fast?

Christian Johnson  [52:13] 
Now, I think that’s a wrap. Actually, the one thing I will add that is a trending thing when we we’ve talked about crypto and blockchain quite a bit on the show. One of the probably the most interesting articles that caught my attention in the last month was IBM development and acquisition of a blockchain based web browser. Totally didn’t see that coming from IBM of all places.

Jim Collison  [52:41] 
Innovative lately me and they may not be dead yet.

Christian Johnson  [52:44] 
They They certainly caught me off guard by that for sure.

I’m not going to go so far to say it’s all Watson moment yet. But it’s certainly an intriguing concept. If a player like IBM is willing to get that space, that tells me that a couple things one, blockchain is alive and well. And people still figuring out how it’s going to actually be used in the long term to when we talk about conversations previously on this show around who is going to be the Data Broker and where that power is going to be centralized around right. Today, the internet and World Wide Web is very much a gatekeeper model and data brokers and people in power and people non power. A blockchain based web browser could drastically disrupt that ecosystem where new brokers of data more decentralized data broking, more private internets within a public internet for lack of a better word. So and then you put in you put behind the research dollars and enterprise span of something like IBM, this suddenly starts to smell very interesting to me. So this is a, I would say, this is definitely something to watch out for as a frontier technology indicator, using stuff that we know exists in the frontier spectrum today. But I think the fact that we’re seeing this as a real interesting data point, and we should keep our eyes on it.

Jim Collison  [54:17] 
I don’t think they planted this way. But I think crypto was a perfect kind of vetting kind of application, it had the right motivations associated with it, it kept people interested in it, there was high traffic in it kind of proves out some forking methodologies of the blockchain. It it’s it it enforced transaction volumes and speeds, it made it like, you know, the initial versions of it, were not scalable at all. And now we’re starting to see these technologies to come along to scale that speed speeds important in some areas, not others, but but it’s pushing it right. And I think as we continue to work in the crypto space, it’s proving some things out, it’s testing some things for us. But it’s got a lot of financial incentive. And so it goes it moves very, very fast in its testing, and and there’s some there’s some ramifications behind it. And listen, people have lost real money and have gained real money in this thing I hate to think of, I wonder what if we thought about all the millions of dollars or maybe billions at this point that has changed hands, and you kind of think I wonder what has been gained and lost? It’s probably not trackable. But but I do think crypto is a good is a good use case in the very beginning to prove all this stuff out. That will all benefit from this 20 years from now when sure crypto will always be a part of the blockchain. But I think there’s going to be some really good applications that come along that take advantage of the the blockchain idea and in make good use of it. And there’s there’s a lot of great security things built into it. That could be pretty great. Moving forward that could help us solve some real problems. And so I I’m excited to see where it goes. crypto is a little bit of a QA, you know, on it kind of like, Hey, is this thing going to work? Trust me, Christian, if there wasn’t any financial incentive in this, nobody would do it. Like, it just wouldn’t be interesting. If there was no crypto in blockchain. blockchain would still be where it was nine years ago, or 10 years ago, kind of kind of a well, I think it should work. You know, the money aspect is really driven it pretty fast. So I think we have we have crypto to thank for that. In the long run. They’ll always be some kinds of crypto applications. It just makes sense. It’s a great. It’s a great transfer value type tool. But interesting to see IBM jump into it. They have made some interesting acquisitions over the last couple maybe year or 18 months, which kind of go lights are still kind of on over there. Like Okay, we’re, you know, I gotta be on

Christian Johnson  [57:00] 
Yeah, yeah, not not a not a space I expected. I don’t

Jim Collison  [57:03] 
know. I don’t think they’re launching rockets.

Christian Johnson  [57:05] 
So Not yet. Not yet. You never know what’s

Jim Collison  [57:09] 
gonna get carried away. But they’re doing some interesting things from that well with that or my neighbor when the average guy.tv is powered by Maple Grove partners. Get secure reliable high speed hosting from people that you know you trust WordPress and optimized lightning fast. Check out Maple Grove partners.com. We welcome your questions. If you want to send those in, kind of stumped Christian on something or you’d like us to talk about something that you’d like to hear send us an email Jim at the average guy TV better just to send it over to Christian Christian at the average guy.tv You can find me on Twitter at j Collison. You can find him on Twitter and now. You can find him on Twitter over at Ford whisper. We hope you enjoyed it. We’d love to have you share it with us back in about three years. Couple weeks with the next cyber frontiers with that will say goodbye America.

Transcribed by https://otter.ai


Contact Christian: christian@theaverageguy.tv

Contact the show at jim@theaverageguy.tv

Music courtesy of Ryan King. Check out the Die Hard Cafe band and other original works at:
http://diehardcafe.bandcamp.com/http://cokehabitgo.tumblr.com/tagged/my-music

Share