Yesterday, WikiLeaks published thousands of pages of what appeared to be leaked internal CIA documents.
The haul, which WikiLeaks has somewhat pretentiously dubbed “Vault 7”, is claimed to be “the largest ever publication of confidential documents on the agency.”
The first 8,761 documents released by WikiLeaks appear to be fairly recent, and have been dubbed “Year zero” (again, for reasons perhaps best known to Julian Assange).
Some of the juicier titbits contained within the documents are already making plenty of headlines.
Unfortunately, some of the reporting has been sloppy.
Take, for instance, WikiLeaks’s claim that the CIA can use zero-day vulnerabilities to “bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman”. This sloppy language led some journalists to report that the CIA had found a vulnerability in the secure chat apps that allowed them to snoop on “secure” messages.
But that’s not true.
Instead, it appears that WikiLeaks is merely referring to the CIA’s ability to infect smartphones with spyware that can record conversations and keystrokes. No-one wants to be snooped on in that way, of course, but it’s a very different prospect from secure apps like Signal being found to contain a fundamental weakness.
If an unauthorised party has physical access to your computer or mobile device then all bets are off. Of course they could install spyware onto it.
The report resulted in Whisper Systems, the brains behind the Signal encrypted messaging app, putting the record straight:
The CIA/Wikileaks story today is about getting malware onto phones, none of the exploits are in Signal or break Signal Protocol encryption.
— Signal (@signalapp) March 7, 2017
Indeed you could argue that apps like Signal are doing a great job at securing their end-to-end encrypted communications if authorities have to go so far as intentionally meddling with one of the devices to discover what is being communicated.
You may also hear news reports of the CIA turning smart TVs into insidious spying device, keeping a crafty eye and ear on viewers, following the following assessment made by WikiLeaks in its press release:
The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell’s 1984, but “Weeping Angel”, developed by the CIA’s Embedded Devices Branch (EDB), which infests smart TVs, transforming them into covert microphones, is surely its most emblematic realization.
The attack against Samsung smart TVs was developed in cooperation with the United Kingdom’s MI5/BTSS. After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on. In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.
Again, there’s some need for a fact check here.
“Weeping Angel”, named after a terrifying Doctor Who monster that you really shouldn’t blink at, is installed via a USB stick.
If you’re worried about the prospect of an intelligence agency breaking into your home in order to plug a malicious USB stick into the back of your Samsung Smart TV then I’d argue you probably should also be worrying that intelligence agencies are breaking into your house full stop.
After all, who knows where else they could be installing surveillance devices?
Now if there was any evidence that the Weeping Angel surveillance module could be installed onto smart TVs remotely without having to creep around someone’s house, or that TVs were being meddled with in the supply chain before arriving in households, then, well, maybe that would be more alarming.
Over the coming days there will no doubt be much more to dig out from WikiLeaks’ CIA files leak. In the meantime, here are some interesting articles to keep you occupied:
- Reuters: WikiLeaks says it releases files on CIA cyber spying tools
- The Intercept: The CIA didn’t break Signal or WhatsApp, despite what you’ve heard
- Ars Technica: After NSA hacking exposé, CIA staffers asked where Equation Group went wrong
One final thing.
WikiLeaks claims that the CIA has been “hoarding” serious zero-day vulnerabilities and exploits that allow it to break into and spy upon technology from the likes of Apple, Google, Microsoft and other manufacturers.
WikiLeaks then correctly says that not sharing details of the vulnerabilities with vendors and manufacturers is a bad thing – because it prevents the right people from patching the vulnerabilties and making us all stronger. And, more than that, while left unpatched there is nothing to stop intelligence agencies in other countries to exploit the same security holes for their own spying activities.
I agree with that. I believe if a vulnerability is found it should be responsibly disclosed to the vendor or manufacturer so a proper fix can be put in place – to the benefit of all users around the world.
WikiLeaks so far has held back, not publicly releasing the alleged CIA hacking tools and exploit code. I hope they choose not to make them public as I doubt any good will come of it. Instead, Wikieaks should share the information they acquired with the vendors who are best placed to fix the security holes.
Anything less than that is simply making things worse for all of us.
You can hear some of my personal views about WikiLeaks’s release of the “Vault 7” CIA data dump in this episode of the “Smashing Security” podcast where I was joined by Carole Theriault and special guest Paul Ducklin (better known as “Duck”).
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hey Graham.
Hey Carole.
Tell me, what is the biggest cybersecurity headache for sysadmins?
Oh, that's easy. It's the users, isn't it? They're the pain.
Exactly. And imagine if you could have a kit that had everything you needed to roll out cybersecurity training to all your users.
That would be fantastic, but I imagine it would cost an awful lot of money.
No, it's completely free. Our friends at Forsys have created this amazing kit and you can download it for free from their website, forsys.co.uk/toolkit. That's Forsys, F-O-U-R-S-Y-S.
You're telling me that if you just go to forsys.co.uk/toolkit, you can download this fabulous piece of training material and get your staff up to speed when it comes to computer security?
Bingo!
Sounds fabulous. Well, thank you to Forsys for that, and thank you to Forsys as well, because I heard they're actually sponsoring our show this week.
Don't sound surprised, it's a good show.
Smashing Security, Episode 11: WikiLeaks and the CIA, with Carole Theriault and Graham Cluley. Hello everybody, and welcome to another episode of Smashing Security.
Smashing Security, Episode 11, for Thursday, the 9th of March, 2017. And I'm joined as always by my buddy Carole. Hello, Carole.
Smashing Security, Episode 11, for Thursday, the 9th of March, 2017. And I'm joined as always by my buddy Carole. Hello, Carole.
Hello.
And we've got a special guest with us today, haven't we?
Very special.
Who's trying not to snigger in the background.
And if you can't tell already, it is a luminary from the computer security industry, Mr. Paul Ducklin. Hello, Duck.
Hello, chaps. Thanks for having me.
And Duck, for those people who don't know you, introduce yourself, explain who you are and why you're here and that sort of thing. Why are you here?
No pressure.
Well, my name is Paul Ducklin.
I work for Sophos where I have worked for many years, and most of what I do these days is to write security explanations—issues such as cryptography, malware, and so forth—for our Naked Security website, what I like to talk about as SESSI-COWIE, which is Security Explained So You Can Actually Understand It.
And is this acronym SESSI-COWIE, is that taking off in a big way at the moment?
It's done about as well, unfortunately, as Vorriwoggom, which I know is one of yours, which I still like and I still use and I used it today and I think it's kind of an important thing for security companies to get their heads around.
I work for Sophos where I have worked for many years, and most of what I do these days is to write security explanations—issues such as cryptography, malware, and so forth—for our Naked Security website, what I like to talk about as SESSI-COWIE, which is Security Explained So You Can Actually Understand It.
And is this acronym SESSI-COWIE, is that taking off in a big way at the moment?
It's done about as well, unfortunately, as Vorriwoggom, which I know is one of yours, which I still like and I still use and I used it today and I think it's kind of an important thing for security companies to get their heads around.
Voice of reason in a world gone mad.
Yes, it's a bit less of the speculation and a bit more of the usable facts that help us all lift our game a bit.
So, Carole, what have you been up to since we last recorded?
Well, I've actually been playing with the Nintendo Classic Mini. So I got one for my husband because he did me a solid.
So I bought him a treat, which is Nintendo Entertainment System. Do you remember this? It's the old one from 1986, but it's been miniaturised to this palm-sized console.
So I bought him a treat, which is Nintendo Entertainment System. Do you remember this? It's the old one from 1986, but it's been miniaturised to this palm-sized console.
This is a video game console? Yes.
Right. From '86. So it's all the original games. You know, you've got your Donkey Kongs and your Pac-Man. So— But it's not a Game Boy, right?
No, no, no.
It's a proper console with a little handset.
Hang on, a Game Boy is a proper console.
It is, but it doesn't connect to your TV. It has its own screen, doesn't it?
I think in the modern era, that could be considered something of an advantage.
1986. Come on. Anyway, it was really fun. And I've had a really good time playing with that last night.
So you're having a really pixely time at the moment. It sounds good, it sounds good fun.
And, you know, I think it's quite good to experience those kind of games in the old-fashioned way before you go and swap over to the Nintendo Switch and the latest Legend of Zelda and all the super duper graphics you get today.
So it sounds a lot of fun. What isn't so much fun, of course, is some of the stuff which happens in security sometimes. Sometimes it's not as smashing as we might like.
And the hot topic as we're recording this is the fact that WikiLeaks, God bless me, they've published thousands of pages of what appear to be leaked internal CIA documents.
Yep, Julian Assange has released what he calls Vault 7. He's, I don't know if there's a Vault 1, 2, 3, 4, 5, 6, where do they come up with these crazy names from, I don't know.
But he says it's the largest ever publication of confidential documents on the CIA.
Much of it is focused on how the CIA could attack and spy on devices, particularly smartphones, and in particular iPhones, which are generally thought to be more secure than Android.
Have you guys seen any of the headlines around this stuff?
And, you know, I think it's quite good to experience those kind of games in the old-fashioned way before you go and swap over to the Nintendo Switch and the latest Legend of Zelda and all the super duper graphics you get today.
So it sounds a lot of fun. What isn't so much fun, of course, is some of the stuff which happens in security sometimes. Sometimes it's not as smashing as we might like.
And the hot topic as we're recording this is the fact that WikiLeaks, God bless me, they've published thousands of pages of what appear to be leaked internal CIA documents.
Yep, Julian Assange has released what he calls Vault 7. He's, I don't know if there's a Vault 1, 2, 3, 4, 5, 6, where do they come up with these crazy names from, I don't know.
But he says it's the largest ever publication of confidential documents on the CIA.
Much of it is focused on how the CIA could attack and spy on devices, particularly smartphones, and in particular iPhones, which are generally thought to be more secure than Android.
Have you guys seen any of the headlines around this stuff?
Yeah, and it's likely to really ruffle some feathers, isn't it?
Some of the reporting I think has probably been quite sloppy actually.
So we saw, for instance, WikiLeaks claim that the CIA can use zero-day vulnerabilities to bypass the encryption of popular chat apps like WhatsApp, Signal, Telegram, and Confide, which is the one which is alleged that the Trump administration or some members of it might have been using to secretly communicate with each other.
But it's not really the case. It doesn't seem though that the CIA have really broken the encryption of these, which obviously would be huge news and alarming for many people.
Instead, it looks like what the CIA have been doing is they've been using zero-day vulnerabilities maybe to snoop on smartphones.
So to break smartphones and to commandeer smartphones. And of course, once they control a phone, then they can see anything which is going on it.
They can see the conversations, they can see what's happening through those sort of devices.
So we saw, for instance, WikiLeaks claim that the CIA can use zero-day vulnerabilities to bypass the encryption of popular chat apps like WhatsApp, Signal, Telegram, and Confide, which is the one which is alleged that the Trump administration or some members of it might have been using to secretly communicate with each other.
But it's not really the case. It doesn't seem though that the CIA have really broken the encryption of these, which obviously would be huge news and alarming for many people.
Instead, it looks like what the CIA have been doing is they've been using zero-day vulnerabilities maybe to snoop on smartphones.
So to break smartphones and to commandeer smartphones. And of course, once they control a phone, then they can see anything which is going on it.
They can see the conversations, they can see what's happening through those sort of devices.
You know what it's like when there's a big data leak like this, when there's 10,000 documents out, you know?
People are out there, they're reading the headlines, they're just reading the summaries and they're throwing out articles as fast as they can.
And I think in the coming days we're gonna find out, you know, what everything this stills down to, because there's going to be fake news.
People are out there, they're reading the headlines, they're just reading the summaries and they're throwing out articles as fast as they can.
And I think in the coming days we're gonna find out, you know, what everything this stills down to, because there's going to be fake news.
But don't you think in this time when we keep on seeing allegations of some of the media being, you know, fake news, dare I say it, that we do need the journalists to do a bit of a better job?
I mean, for instance, the New York Times, right? Which most of us, I know there are some notable exceptions, respect as an august media organisation.
They ended up deleting some of their tweets because they got so carried away with this news.
I guess there's always this push, isn't there, to be the first with the breaking news in order to get the clicks?
I mean, for instance, the New York Times, right? Which most of us, I know there are some notable exceptions, respect as an august media organisation.
They ended up deleting some of their tweets because they got so carried away with this news.
I guess there's always this push, isn't there, to be the first with the breaking news in order to get the clicks?
One of the problems I've got with a lot of the stories we've had, not necessarily this one, but in general, when you get a big leak or, you know, a big exposé of a large number of documents that have a whole history behind them, you know, you're thinking back to Ed Snowden and the Chelsea Manning stuff, is that it's almost as though you end up with headlines that tell the story as it was at some unknown time in the past.
And that's a big problem when you say, oh, we've got loads of zero days.
And for all we know, that might be, well, there was a zero day for a bit, and then that was patched 7 years ago, and this one worked for a few months, and then it was patched in April, and so on.
And that's the problem. Oh, there are loads of zero days.
Unfortunately, there are at least some zero days, maybe not as many as some people might want us to believe, that occur in products, that appear in products.
And those who don't patch, who don't use the latest versions, who don't adopt safe practices may get caught out long after the fact.
You know, the fact that ancient malware still gets a grip on some people's computers is evidence of that.
But this idea of, wow, giant zero-day storm, unfortunately there's an awful lot of work to do to put that into context and say when this thing was a zero-day and when it wasn't.
So you also get people going, oh well, there's all these zero-days. Like, have you got samples and do you detect them?
And so I'm thinking, well, if we did, by definition, they wouldn't really be zero days, would they?
So it's almost as though we get excited by the word zero day without considering that sometimes, fortunately, zero days are only there for a very short time, particularly if you're on the ball with patching.
And that's a big problem when you say, oh, we've got loads of zero days.
And for all we know, that might be, well, there was a zero day for a bit, and then that was patched 7 years ago, and this one worked for a few months, and then it was patched in April, and so on.
And that's the problem. Oh, there are loads of zero days.
Unfortunately, there are at least some zero days, maybe not as many as some people might want us to believe, that occur in products, that appear in products.
And those who don't patch, who don't use the latest versions, who don't adopt safe practices may get caught out long after the fact.
You know, the fact that ancient malware still gets a grip on some people's computers is evidence of that.
But this idea of, wow, giant zero-day storm, unfortunately there's an awful lot of work to do to put that into context and say when this thing was a zero-day and when it wasn't.
So you also get people going, oh well, there's all these zero-days. Like, have you got samples and do you detect them?
And so I'm thinking, well, if we did, by definition, they wouldn't really be zero days, would they?
So it's almost as though we get excited by the word zero day without considering that sometimes, fortunately, zero days are only there for a very short time, particularly if you're on the ball with patching.
And since this story first broke, we've seen Apple actually, they've come out and said, well, most of these things are already fixed.
And I believe they were also talking in some of the documents about alleged zero-day vulnerabilities in antivirus software.
And from the discussions I've had with some antivirus companies, it sounds like some of those certainly are old issues as well, which may have been resolved some time ago.
So people don't have to worry. Of course, people who might have to worry are those people who aren't updating, who aren't patching themselves.
And that makes me begin to think about what about all those Android users where if you've got a Google-branded device, there's a good chance that you're receiving security updates on it.
Well, I don't know about good, there's a chance. Well, okay, there's even less of a chance if you are using a device manufactured by some of the other vendors doing Android.
And I believe they were also talking in some of the documents about alleged zero-day vulnerabilities in antivirus software.
And from the discussions I've had with some antivirus companies, it sounds like some of those certainly are old issues as well, which may have been resolved some time ago.
So people don't have to worry. Of course, people who might have to worry are those people who aren't updating, who aren't patching themselves.
And that makes me begin to think about what about all those Android users where if you've got a Google-branded device, there's a good chance that you're receiving security updates on it.
Well, I don't know about good, there's a chance. Well, okay, there's even less of a chance if you are using a device manufactured by some of the other vendors doing Android.
There might be zero chance because I remember there were a couple of years ago going to look into this and thinking, well, I wonder what the— I forget what the context was, but it was, you know, what versions of Android are in the shops at the moment?
And I went on my way into work, I stopped at a popular mobile phone shop along the way, and I went in and I went straight to the budget table, you know, where you're going to pay $100 or less for your phone.
And I looked at these devices and some of them were quite neat, perfectly usable, and they were already using versions of Android that had not been— they were still using versions of Android that had not been supported for a year or so.
And this was two years ago, you know, when everyone was— you're supposed to be going towards version 5 and version 4.4.
Well, that's the LastPass, that's the oldest one you really want to consider.
You could buy an off-the-shelf device and it was, you know, it was well priced for that reason, I suppose. And it had, say, Android 4.2 on it.
And it was pretty clear that when you bought that device, not only was it already out of date, but you were never going to get updates. And that was sort of by design.
And it seems a bit of a pity that maybe it's not made a little bit clearer to the people who are buying them.
And I went on my way into work, I stopped at a popular mobile phone shop along the way, and I went in and I went straight to the budget table, you know, where you're going to pay $100 or less for your phone.
And I looked at these devices and some of them were quite neat, perfectly usable, and they were already using versions of Android that had not been— they were still using versions of Android that had not been supported for a year or so.
And this was two years ago, you know, when everyone was— you're supposed to be going towards version 5 and version 4.4.
Well, that's the LastPass, that's the oldest one you really want to consider.
You could buy an off-the-shelf device and it was, you know, it was well priced for that reason, I suppose. And it had, say, Android 4.2 on it.
And it was pretty clear that when you bought that device, not only was it already out of date, but you were never going to get updates. And that was sort of by design.
And it seems a bit of a pity that maybe it's not made a little bit clearer to the people who are buying them.
And every month that goes past, the situation's getting worse.
I mean, just this week we've seen Google, there's been another Android security bulletin, scores of vulnerabilities have been patched.
So, you know, the operating system has been patched. That's great that Google's done that and they fixed that.
But now we've got this challenge of how are we going to get those patches to those users?
And as you said, many of them simply there is no route whatsoever through which they're going to get it. And so they're going to remain vulnerable.
I mean, just this week we've seen Google, there's been another Android security bulletin, scores of vulnerabilities have been patched.
So, you know, the operating system has been patched. That's great that Google's done that and they fixed that.
But now we've got this challenge of how are we going to get those patches to those users?
And as you said, many of them simply there is no route whatsoever through which they're going to get it. And so they're going to remain vulnerable.
And if you're going to buy that $45 phone that you think is great value, then you need to do a little bit of homework.
It's almost like personal due diligence where you go, you— so you need to learn with Android how you go into the settings page and how you find out what the Android version is.
And you know, all the relevant serial number details and the vendor and even perhaps the carrier, you know, the mobile phone company that's locked it to them, perhaps if that's legal in your country.
And then go online and have a look and see whether that device is ever going to get any more security updates.
Because if it isn't, you're going to be one of those guys who's at risk of security problems that to the rest of us are kind of considered written off and no longer existent.
It's almost like personal due diligence where you go, you— so you need to learn with Android how you go into the settings page and how you find out what the Android version is.
And you know, all the relevant serial number details and the vendor and even perhaps the carrier, you know, the mobile phone company that's locked it to them, perhaps if that's legal in your country.
And then go online and have a look and see whether that device is ever going to get any more security updates.
Because if it isn't, you're going to be one of those guys who's at risk of security problems that to the rest of us are kind of considered written off and no longer existent.
And if you think updating your phone is tricky and bad and getting the vendor to push updates out to you, that's bad. What about all these other Internet of Things devices?
Oh, don't. Yeah, one of the things which has come out of this release from WikiLeaks is alleged attack against smart televisions.
There've been a lot of headlines about this so-called Weeping Angel attack.
Clearly they were Doctor Who fans, where allegedly law enforcement agents were able to compromise Samsung smart TVs.
And then even when the TVs appeared to be off, they would be secretly recording conversations.
Now, what most of these headlines haven't actually got across, however, is that that particular spyware could only be installed via USB.
In other words, the authorities needed physical access to your television, and many of the media have missed that point.
Yeah, if you read the documents, you can see clearly there, it's a USB-only thing. So in some ways, this is sort of same old, same old.
We, intelligence agencies have been using computers, using the internet to spy on each other for ages.
They've been perhaps hoarding zero-day vulnerabilities and not passing them on to vendors, which of course causes harm for all of us, particularly when those zero days then become public knowledge.
The interesting thing right now is WikiLeaks has actually sort of controlled itself a little.
It hasn't released everything which it knows just yet, which isn't always the way that they are. They're not terribly good at redacting themselves on occasion.
They actually aren't sharing details of all of the exploits right now.
Oh, don't. Yeah, one of the things which has come out of this release from WikiLeaks is alleged attack against smart televisions.
There've been a lot of headlines about this so-called Weeping Angel attack.
Clearly they were Doctor Who fans, where allegedly law enforcement agents were able to compromise Samsung smart TVs.
And then even when the TVs appeared to be off, they would be secretly recording conversations.
Now, what most of these headlines haven't actually got across, however, is that that particular spyware could only be installed via USB.
In other words, the authorities needed physical access to your television, and many of the media have missed that point.
Yeah, if you read the documents, you can see clearly there, it's a USB-only thing. So in some ways, this is sort of same old, same old.
We, intelligence agencies have been using computers, using the internet to spy on each other for ages.
They've been perhaps hoarding zero-day vulnerabilities and not passing them on to vendors, which of course causes harm for all of us, particularly when those zero days then become public knowledge.
The interesting thing right now is WikiLeaks has actually sort of controlled itself a little.
It hasn't released everything which it knows just yet, which isn't always the way that they are. They're not terribly good at redacting themselves on occasion.
They actually aren't sharing details of all of the exploits right now.
Just some?
Well, they're sort of skirting around the issue so that they're sharing some code, but they're not given all the juicy stuff.
Now, it may be that they will release that in the future.
My hope, and I don't know if it'll be a forlorn one, will be that they will actually share this information with the vendors because they're the people who actually have to protect against those things.
But yeah, that information has somehow been stolen from the CIA, and it does look as though this is from the CIA, and that means it could be in the hands of anybody, which means all of us potentially are at risk unless these bugs get fixed.
Now, it may be that they will release that in the future.
My hope, and I don't know if it'll be a forlorn one, will be that they will actually share this information with the vendors because they're the people who actually have to protect against those things.
But yeah, that information has somehow been stolen from the CIA, and it does look as though this is from the CIA, and that means it could be in the hands of anybody, which means all of us potentially are at risk unless these bugs get fixed.
Here's hoping for responsible disclosure. Perhaps a bit too late.
Anyway, so, Duck, what's been catching your imagination this week?
Well, I took a look.
It's not a— this is not a particularly new family of malware, but it's a sort of interesting, if you like, almost a kind of community ransomware project known as Satan.
Now, as you and I know well from our from the old days of antivirus, sort of occultic themes have always been rather popular with virus writers.
We've had Dark Avenger, Necropolis, My Doom, Anaitas, if you remember, which is Satan backwards, Satan Bug. Those are written by the same guy.
So obviously that's kind of what attracts everyone's attention because there's all this doom-laden imagery.
It's not a— this is not a particularly new family of malware, but it's a sort of interesting, if you like, almost a kind of community ransomware project known as Satan.
Now, as you and I know well from our from the old days of antivirus, sort of occultic themes have always been rather popular with virus writers.
We've had Dark Avenger, Necropolis, My Doom, Anaitas, if you remember, which is Satan backwards, Satan Bug. Those are written by the same guy.
So obviously that's kind of what attracts everyone's attention because there's all this doom-laden imagery.
Basically they're 14-year-old boys is what you're telling me. Or they're Iron Maiden fans.
It seems that in this case there may be a little bit more to it than that, because what you actually do is you go to— you find out the .onion address and you go to this portal, if you like, via Tor on the darkweb, and then you sign up and you create an account.
Obviously it's anonymous. And what you do is instead of just downloading the ransomware or the source code and going off and doing your thing, you kind of join a club.
And basically the backend to Satan generates you a unique copy of the malware, which is tailored to the ransom that you want to ask.
So you can say, well, I want to charge half a bitcoin and then I want to wait a week and then I want to ramp the price up to one bitcoin. And you can set those parameters.
So you get the malware tailored to you, you get some delivery tools, script tools that it generates for you that you can copy and paste.
Then the crooks actually deal with collecting the bitcoins. And of course, you have complete faith in them to be quite honest about how much revenue they've generated.
And they take 30% of the proceeds and send the rest back out to you via bitcoin.
So they're running the infrastructure, they are doing the bitcoin processing, they're generating the malware, and there's even, oh dear.
Obviously it's anonymous. And what you do is instead of just downloading the ransomware or the source code and going off and doing your thing, you kind of join a club.
And basically the backend to Satan generates you a unique copy of the malware, which is tailored to the ransom that you want to ask.
So you can say, well, I want to charge half a bitcoin and then I want to wait a week and then I want to ramp the price up to one bitcoin. And you can set those parameters.
So you get the malware tailored to you, you get some delivery tools, script tools that it generates for you that you can copy and paste.
Then the crooks actually deal with collecting the bitcoins. And of course, you have complete faith in them to be quite honest about how much revenue they've generated.
And they take 30% of the proceeds and send the rest back out to you via bitcoin.
So they're running the infrastructure, they are doing the bitcoin processing, they're generating the malware, and there's even, oh dear.
I'm guessing there's a fee for this.
Yeah, 30%. Oh yes, of course, yeah, yeah, that you make. And when I looked at that, I thought, I wonder where they got 30% from?
It couldn't be that they thought, hey, it worked for iTunes, it'll work for us. And I guess that's exactly what they are doing.
They said there's no upfront fee, you just pay as you go, we take 30% just for doing the collection, and you get to decide.
And the minimum, the minimum payment is 0.1 bitcoins per go, which is the current rate about $125 US.
So they've got— fortunately, the malware it generates, you know, most products like decent antivirus products these days will mop it up.
But it's just this whole kind of, well, join the club and we'll take care of everything.
And you don't— all you have to do is worry about, think about how you're going to disseminate the malware to people.
It couldn't be that they thought, hey, it worked for iTunes, it'll work for us. And I guess that's exactly what they are doing.
They said there's no upfront fee, you just pay as you go, we take 30% just for doing the collection, and you get to decide.
And the minimum, the minimum payment is 0.1 bitcoins per go, which is the current rate about $125 US.
So they've got— fortunately, the malware it generates, you know, most products like decent antivirus products these days will mop it up.
But it's just this whole kind of, well, join the club and we'll take care of everything.
And you don't— all you have to do is worry about, think about how you're going to disseminate the malware to people.
Yes, it sounds like you don't really have to be that technical at all to jump on the ransomware.
Well, you've got to get on, you have to get on to Tor and get to the actual location.
All right, that's not— but then you need to know how to pay people in bitcoins if you're going to be a victim, don't you? I mean, it's just following a process.
It's just, okay, here's the Word document, it's going to tell me how to set up Tor and how to find this place.
But ultimately, the Satan service is basically white labeling some ransomware for you, isn't it? And then all you've got to do is, what, spam it out to people or plant it somewhere?
It's just, okay, here's the Word document, it's going to tell me how to set up Tor and how to find this place.
But ultimately, the Satan service is basically white labeling some ransomware for you, isn't it? And then all you've got to do is, what, spam it out to people or plant it somewhere?
And what's really galling is there's even this kind of community part of the website where if they don't support your language for the pay page, you can go in and provide a translation and they'll verify it and then they'll make it available to everybody else.
Wow.
So there's a page where you put in your localization strings for all the text, sentences like, "Your personal files have been encrypted," and "Don't think of trying to do this yourself," and "You've got 5 days," and all that stuff.
Wow.
So there's a page where you put in your localization strings for all the text, sentences like, "Your personal files have been encrypted," and "Don't think of trying to do this yourself," and "You've got 5 days," and all that stuff.
I wonder if people are attracted to it because it distances themselves from the actual ransomware. So say, for example, it's an insider job, for instance, right?
And you wanted to get back at your employer for whatever reason you're disgruntled.
I wonder if this is attractive from that point of view, that your involvement is pretty well hidden.
And you wanted to get back at your employer for whatever reason you're disgruntled.
I wonder if this is attractive from that point of view, that your involvement is pretty well hidden.
I don't, to be honest, I don't think we've seen that many samples of this going around, so I don't think it, fortunately, it hasn't taken off as a giant business thing.
But now we've mentioned it on Smashing Security, everyone will be looking for it, right?
Yes, thanks, Duck. Thank you. As you know, on Smashing Security, we like to end our articles with a section that says what to do.
And in this one, I put this— the answer to that bit's really simple: don't. You know, don't get involved in this.
And if you do and you get caught, then please don't expect any sympathy.
The courts are not going to look kindly on you, and they're not going to say, oh well, someone else did the dirty work and I only clicked a few buttons. It's not like that.
You know, you're demanding money with menaces, and that's a pretty serious crime in any country.
And in this one, I put this— the answer to that bit's really simple: don't. You know, don't get involved in this.
And if you do and you get caught, then please don't expect any sympathy.
The courts are not going to look kindly on you, and they're not going to say, oh well, someone else did the dirty work and I only clicked a few buttons. It's not like that.
You know, you're demanding money with menaces, and that's a pretty serious crime in any country.
Don't do it, folks. Don't do it, folks.
No, do something more worthwhile with your time instead, like playing the Nintendo Classic Mini. And you know what?
If you do it and you get caught, don't ask for bail. Start doing your time because you are going to get a custodial sentence.
You may as well start eating into the time you're going to have to serve while you're remanded in custody. That's my opinion anyway.
You may as well start eating into the time you're going to have to serve while you're remanded in custody. That's my opinion anyway.
Okay, well, thank you very much, Duck. Carole, what have you got for us?
Well, I have a question to start. How would you guys feel about border control inspectors looking at the contents of your devices?
So imagine them snooping through your apps, your accounts, social media feeds, calendars, emails, etc.
So imagine them snooping through your apps, your accounts, social media feeds, calendars, emails, etc.
Well, I don't really like them looking through my underpants and socks, to be honest. I'd be pretty uncomfortable with them rifling through my laptop and my phone as well.
No, I wouldn't like it at all.
No, I wouldn't like it at all.
But it is a— I mean, in the UK, it's been the law for what is it, nearly a decade now that they have the right to do that in the same way, open your suitcase, they can look through your underpants and they can say, we want to have a look through your laptop and therefore make sure that if that bothers you, then, you know, you need to learn how to do backups properly so that you don't have to carry everything with you, which seems a good idea anyway.
Well, yes, and I think it's interesting, Duck, you say that because since the new US president's executive order on immigration and terrorism, privacy groups like the EFF have voiced concerns about an increase in the number of invasive digital practices.
This is what they're calling these searches during border inspections.
So in other words, they're worried that more travelers are being asked to surrender their devices and passcodes. Now, so I wanted to see how bad this problem was.
It turns out that in 2015, about 5,000 electronic devices were inspected. So this is a teeny tiny percentage of the 400 million US arrivals during 2015.
However, in 2016, there was a sharp rise. It went up to 23,000 searches as opposed to 5,000.
So I'm not surprised that the growing number of travelers entering the US, be they citizens or not, are looking to try and control this type of data leak at the border crossings.
So looking around the web, there's a number of articles on this with a lot of people providing advice.
But the advice got me thinking that perhaps we weren't really discussing the consequences of carrying out this advice, and I wanted to get your take on this, right?
So we've got, for example, carrying no devices or carrying wiped devices, encrypting sensitive files, refusing to comply, and then basically saying that you don't have your master password or you don't have your two-factor device with you.
So these are the types of popular advice that we're seeing. And I wanted to get your take. So what do you think about carrying no devices?
This is what they're calling these searches during border inspections.
So in other words, they're worried that more travelers are being asked to surrender their devices and passcodes. Now, so I wanted to see how bad this problem was.
It turns out that in 2015, about 5,000 electronic devices were inspected. So this is a teeny tiny percentage of the 400 million US arrivals during 2015.
However, in 2016, there was a sharp rise. It went up to 23,000 searches as opposed to 5,000.
So I'm not surprised that the growing number of travelers entering the US, be they citizens or not, are looking to try and control this type of data leak at the border crossings.
So looking around the web, there's a number of articles on this with a lot of people providing advice.
But the advice got me thinking that perhaps we weren't really discussing the consequences of carrying out this advice, and I wanted to get your take on this, right?
So we've got, for example, carrying no devices or carrying wiped devices, encrypting sensitive files, refusing to comply, and then basically saying that you don't have your master password or you don't have your two-factor device with you.
So these are the types of popular advice that we're seeing. And I wanted to get your take. So what do you think about carrying no devices?
Well, I would find— well, carrying no device at all, I'd find that quite difficult because I mean, I'm actually going on a trip next weekend overseas and I'd feel, yeah, I'd feel lost without my smartphone or something with me or an ability to call a cab.
I mean, not many people these days must be traveling with no devices. Yeah, I think it would actually be a red flag, right?
I mean, I think ultimately no one wants to get on that persons of interest list, right?
I mean, I think ultimately no one wants to get on that persons of interest list, right?
Well, not again anyway.
A lot of people are talking about wiping devices completely before you actually go through the border control.
Oh, yes, because that's not going to look suspicious, is it, if you have a completely blank smartphone?
Yeah, exactly. It's a suspicion of it.
And I think the whole thing here is about basically what you're doing is trying to deny customs and border control officers access to your data, right?
You're trying to say, and I think the passwords are just a way for them to get access to your data.
So by denying them access to your password, I don't know, you're risking being detained, you're risking your devices being seized.
And I just think it's important for people to understand this, right, before they kind of decide to exercise their civil rights.
And I think the whole thing here is about basically what you're doing is trying to deny customs and border control officers access to your data, right?
You're trying to say, and I think the passwords are just a way for them to get access to your data.
So by denying them access to your password, I don't know, you're risking being detained, you're risking your devices being seized.
And I just think it's important for people to understand this, right, before they kind of decide to exercise their civil rights.
Well, yeah, I've always been fascinated by, if you like, what jurisdiction you're in when you're airside in an airport.
I once had a trip, I had to fly from Iceland to Seattle to go to— it was a device driver fest at Microsoft. And you think, well, that's great.
I'm coming from the UK, I'm going to Iceland, and I'm going on to Seattle. Iceland's kind of halfway-ish.
But it turned out that the easiest way to fly from Iceland to Seattle is via Heathrow, believe it or not.
But I never entered the UK, and I was in this bus on the wrong side of this chain-link fence in amongst some sort of place where trucks get serviced. And clearly I wasn't in the UK.
I never had to show my passport. I never, as far as I can see, legally entered the UK.
And if I'd made a break for it and jumped over the fence, then I would have been doing something very bad, even though I have a right to be in the UK.
And I kind of figured, well, you know, what happens when you're in immigration? Where are you?
And so I think it's very— if you want to be one of those people who go, "Oh, I know my rights," maybe you don't.
Because it's not quite the same as if you'd actually gone across the line.
You're in this area where they're saying, well, we're deciding whether you go, whether we're going to let you go forward and take those rights.
I once had a trip, I had to fly from Iceland to Seattle to go to— it was a device driver fest at Microsoft. And you think, well, that's great.
I'm coming from the UK, I'm going to Iceland, and I'm going on to Seattle. Iceland's kind of halfway-ish.
But it turned out that the easiest way to fly from Iceland to Seattle is via Heathrow, believe it or not.
But I never entered the UK, and I was in this bus on the wrong side of this chain-link fence in amongst some sort of place where trucks get serviced. And clearly I wasn't in the UK.
I never had to show my passport. I never, as far as I can see, legally entered the UK.
And if I'd made a break for it and jumped over the fence, then I would have been doing something very bad, even though I have a right to be in the UK.
And I kind of figured, well, you know, what happens when you're in immigration? Where are you?
And so I think it's very— if you want to be one of those people who go, "Oh, I know my rights," maybe you don't.
Because it's not quite the same as if you'd actually gone across the line.
You're in this area where they're saying, well, we're deciding whether you go, whether we're going to let you go forward and take those rights.
We've come up with a bit of a few pieces of advice on this to help.
You know, I mean, the thing to understand is that these border searches are backed by immigration and terrorism legislation.
So that's, that's what, that's the reason they're doing this.
So in other words, being prepared to dispel any of these concerns to officers if they may, if, you know, if they occur, is a smart approach to right?
So you want to be prepared for questions like, what's the purpose of your visit? How long is the visit?
You know, have proof that you're not planning to stay in the US indefinitely, like a return ticket.
Have a clear schedule of where you're going to be, where you're going to be staying during your visit, and review what's on your devices and delete data or accounts that you don't need anymore or that you don't think is appropriate for this trip.
And encrypt anything sensitive.
You know, I mean, the thing to understand is that these border searches are backed by immigration and terrorism legislation.
So that's, that's what, that's the reason they're doing this.
So in other words, being prepared to dispel any of these concerns to officers if they may, if, you know, if they occur, is a smart approach to right?
So you want to be prepared for questions like, what's the purpose of your visit? How long is the visit?
You know, have proof that you're not planning to stay in the US indefinitely, like a return ticket.
Have a clear schedule of where you're going to be, where you're going to be staying during your visit, and review what's on your devices and delete data or accounts that you don't need anymore or that you don't think is appropriate for this trip.
And encrypt anything sensitive.
Yeah.
I mean, I'd like to think that, I hope it never happens, but it would be nice that, you know, if you searched, if I did have my device searched at customs or technically, maybe it's not customs, at the border anyway, I'd hope that I'd get the seal of approval from the guy saying, "Yes, it's obvious that you're not trying to hide everything and you've let us see enough for us to make an informed decision, but you obviously don't just carry absolutely everything with you where it could fall into the wrong hands." You want a little round of applause, don't you, Doug?
Yeah, you want a ripple.
Yeah, I didn't think that through, did I?
You know, the people, the victims of what they feel is unwarranted digital invasion when they've crossed borders. And there are many stories out there on the web.
It's not very fun for them to do. And I'm sure they feel that they've provided the same amount of information.
It's just, if you're on a list to be flagged, you know, and you're gonna be on that list indefinitely, and that makes international travel or travel to the US, it's gonna be pretty difficult.
It's not very fun for them to do. And I'm sure they feel that they've provided the same amount of information.
It's just, if you're on a list to be flagged, you know, and you're gonna be on that list indefinitely, and that makes international travel or travel to the US, it's gonna be pretty difficult.
Allow more time. Yeah.
And there's also that problem that if you do try too hard to stick up for your rights and you say, well, I'm not going to let you do it, then they can just shrug and go, okay, then you can't come in.
And they're perfectly entitled to do that.
And then the next time you go to the US or the UK or France or wherever, you have to tick that little box that says, "Have you ever been denied entry?" Yes, exactly.
And then underneath, "Tell us why."
And there's also that problem that if you do try too hard to stick up for your rights and you say, well, I'm not going to let you do it, then they can just shrug and go, okay, then you can't come in.
And they're perfectly entitled to do that.
And then the next time you go to the US or the UK or France or wherever, you have to tick that little box that says, "Have you ever been denied entry?" Yes, exactly.
And then underneath, "Tell us why."
"We know, but we want to see how you remember it." So I heard one other interesting idea of how to deal with this.
So if you are on a list, if you are someone who you think, you know, you'd be concerned if you were stopped.
Obviously, we recommend on this podcast that people encrypt their hard drives and encrypt any sensitive information. You know, it just makes general good sense.
But I've also heard this idea of you should use an encryption program which accepts more than one password. And so you have the password to decrypt your regular working computer.
But maybe the encryption software could take another password, which is the one you use at border control, which maybe opens a different image. TrueCrypt, if you remember that.
So if you are on a list, if you are someone who you think, you know, you'd be concerned if you were stopped.
Obviously, we recommend on this podcast that people encrypt their hard drives and encrypt any sensitive information. You know, it just makes general good sense.
But I've also heard this idea of you should use an encryption program which accepts more than one password. And so you have the password to decrypt your regular working computer.
But maybe the encryption software could take another password, which is the one you use at border control, which maybe opens a different image. TrueCrypt, if you remember that.
It was TrueCrypt which did that, was it? Well, it was one of them. Plausible deniability, as they call it.
The idea is that, you know, you refuse and you refuse and refuse and they beat you a little bit and you crack and you go, oh, and you give them a bit of the password, you give them a bit more and then they go, yes, we've got it.
And then they go in and there's this fake persona. Do you know how hard it is to create? Firstly, you've got a 1 terabyte hard drive, which has half a terabyte hard disk on it.
Well, that's interesting. What's in the other half? And you don't know how hard it is to build a likely image if you only keep it there for occasional stuff. I mean, think about it.
If you've got a Mac and you've split it so you've got Windows and Mac, and then after a while, possibly several minutes, you'll realize that there's not much point in booting Windows and you'll just stick in macOS all the time, right?
And so you'll boot Windows once a month, once every two months when you need to.
You're always going to be— and you know what a pain that is because you're always so far out of date, and then you have to sit for 4.5 hours while the partition you use less frequently.
Or if you have virtual machines and you only boot them once a month, you know what a pain it is. You boot them up, you think, oh, now I have to go through all the updates.
I really better do it that would have happened throughout the month. It's really hard to keep two lives in sync, intact.
The idea is that, you know, you refuse and you refuse and refuse and they beat you a little bit and you crack and you go, oh, and you give them a bit of the password, you give them a bit more and then they go, yes, we've got it.
And then they go in and there's this fake persona. Do you know how hard it is to create? Firstly, you've got a 1 terabyte hard drive, which has half a terabyte hard disk on it.
Well, that's interesting. What's in the other half? And you don't know how hard it is to build a likely image if you only keep it there for occasional stuff. I mean, think about it.
If you've got a Mac and you've split it so you've got Windows and Mac, and then after a while, possibly several minutes, you'll realize that there's not much point in booting Windows and you'll just stick in macOS all the time, right?
And so you'll boot Windows once a month, once every two months when you need to.
You're always going to be— and you know what a pain that is because you're always so far out of date, and then you have to sit for 4.5 hours while the partition you use less frequently.
Or if you have virtual machines and you only boot them once a month, you know what a pain it is. You boot them up, you think, oh, now I have to go through all the updates.
I really better do it that would have happened throughout the month. It's really hard to keep two lives in sync, intact.
Duck, maybe border security will be so bored after waiting 6 hours for all the Microsoft Windows updates to install that they'll just wave him through.
We can't deal with this any longer.
We can't deal with this any longer.
Maybe that's the way to do it.
Well, of course, once they can make an image of your files after you've decrypted them, I suppose that they don't, if they think you're not going to vanish off the face of the earth, they could always just take an image and then let you go and then deal with it later.
They can copy your whole hard drive, right?
Well, of course, once they can make an image of your files after you've decrypted them, I suppose that they don't, if they think you're not going to vanish off the face of the earth, they could always just take an image and then let you go and then deal with it later.
They can copy your whole hard drive, right?
And say, off you go.
They know where you're staying.
So I guess what's changed the game a lot, and I can understand this, is the fact that at least the premium versions of Windows and all the Linuxes and all MacOses have— well, in macOS, FileVault, for example, BitLocker on Windows— they have this strong full disk encryption.
And man, you should be using that. It's not there because you're a crook or a terrorist.
It's there because people lose laptops, and it shouldn't be so easy that a crook can wander up, boot your device off a USB key and copy off every single file without even needing to know how that works.
Can be automated. It shouldn't be that easy. So you should be using full disk encryption.
But then I guess the flip side is that means that at the border they can't just go, okay, we're going to take an image, we're going to image your disk, because then they get the encrypted image and it would be no use.
So I guess that's also, as more and more people try to comply with what say the Information Commissioner's Office would love them to do and not have unencrypted laptops wandering around in public, as you try and do the right thing from one side of the government's viewpoint, then the other side is in this position that they actually have to sort of stop you and say, look, you need to put in your password.
So I guess what's changed the game a lot, and I can understand this, is the fact that at least the premium versions of Windows and all the Linuxes and all MacOses have— well, in macOS, FileVault, for example, BitLocker on Windows— they have this strong full disk encryption.
And man, you should be using that. It's not there because you're a crook or a terrorist.
It's there because people lose laptops, and it shouldn't be so easy that a crook can wander up, boot your device off a USB key and copy off every single file without even needing to know how that works.
Can be automated. It shouldn't be that easy. So you should be using full disk encryption.
But then I guess the flip side is that means that at the border they can't just go, okay, we're going to take an image, we're going to image your disk, because then they get the encrypted image and it would be no use.
So I guess that's also, as more and more people try to comply with what say the Information Commissioner's Office would love them to do and not have unencrypted laptops wandering around in public, as you try and do the right thing from one side of the government's viewpoint, then the other side is in this position that they actually have to sort of stop you and say, look, you need to put in your password.
Well, it's an interesting topic, isn't it? Carole, is there anywhere where people can go to read more about this and get some advice?
Thank you. Yeah, I'd recommend actually reading this great article by The Grugq.
He's a security and counterintelligence expert, and he deals with the consequences pretty honestly, I felt. So there's a note in the show links for anyone who wants to read more.
And finally, if anyone actually feels like they've been a victim of unwarranted digital invasion, the EFF would love to hear from you.
So do email if you have a story to tell. Was that a pun, unwarranted?
He's a security and counterintelligence expert, and he deals with the consequences pretty honestly, I felt. So there's a note in the show links for anyone who wants to read more.
And finally, if anyone actually feels like they've been a victim of unwarranted digital invasion, the EFF would love to hear from you.
So do email if you have a story to tell. Was that a pun, unwarranted?
Because that's part of the legalese, isn't it?
That actually when you're in that, what you might call the no man's land, then the usual stuff about warrants and First, Second, Third, Fourth, Fifth Amendments don't really apply.
You're in a kind of, you're in a zone with sort of its own laws, its own different regulations.
That actually when you're in that, what you might call the no man's land, then the usual stuff about warrants and First, Second, Third, Fourth, Fifth Amendments don't really apply.
You're in a kind of, you're in a zone with sort of its own laws, its own different regulations.
Yeah, I think Edward Snowden was lost in one, wasn't he, for a while? I think at Moscow Airport. And then of course Thom Hanks famously.
Wasn't Snowden actually, he was in transit, but it was actually in some, like the nth floor of the hotel outside the airport. And then he couldn't leave the hotel or something.
It does get, and of course we've got Mr. Assange in the Ecuadorian flat in Kensington, and he's not in the UK, but he's certainly in the British Isles.
So it gets a bit legally crazy in places like that, doesn't it? It does.
It does get, and of course we've got Mr. Assange in the Ecuadorian flat in Kensington, and he's not in the UK, but he's certainly in the British Isles.
So it gets a bit legally crazy in places like that, doesn't it? It does.
Well, look, I think our time is up. Thank you very much, Paul, for joining us today. It's fantastic as always to have you on the podcast. Thank you, Carole, as well.
Don't forget, folks, we're on iTunes and Google Play Music and Stitcher and Overcast and all kinds of other podcast apps as well.
Even if you have one of those ghastly Amazon Echos, you can get us — if you have one of them, oh, that's the ever-seeing eye of Sauron in your kitchen.
If you're using one of those things, you can also listen to the podcast there. So check us out. Please leave a review. It really, really helps.
We really appreciate everybody who's leaving us reviews on iTunes.
It's fantastic and gives us more exposure to other people and hopefully spreads the word and really makes a big difference. So thanks for tuning in.
If you the show, tell your friends. And follow us on Twitter. We are @SmashingSecurity. That's "smashin" without a G "security" because Twitter wouldn't give us enough characters.
Why isn't our podcast name Smashin Security? Because we're on episode 11 now, Carole. It's going to be confusing. Do you think we should change the name of the podcast?
Tell us on Twitter if we should change the name of the podcast. Why not? Thanks, chaps. And we'll be back with you next week. Toodaloo. Bye. Bye.
Don't forget, folks, we're on iTunes and Google Play Music and Stitcher and Overcast and all kinds of other podcast apps as well.
Even if you have one of those ghastly Amazon Echos, you can get us — if you have one of them, oh, that's the ever-seeing eye of Sauron in your kitchen.
If you're using one of those things, you can also listen to the podcast there. So check us out. Please leave a review. It really, really helps.
We really appreciate everybody who's leaving us reviews on iTunes.
It's fantastic and gives us more exposure to other people and hopefully spreads the word and really makes a big difference. So thanks for tuning in.
If you the show, tell your friends. And follow us on Twitter. We are @SmashingSecurity. That's "smashin" without a G "security" because Twitter wouldn't give us enough characters.
Why isn't our podcast name Smashin Security? Because we're on episode 11 now, Carole. It's going to be confusing. Do you think we should change the name of the podcast?
Tell us on Twitter if we should change the name of the podcast. Why not? Thanks, chaps. And we'll be back with you next week. Toodaloo. Bye. Bye.
Graham. Don't you have something to share with us before we go?
Something to share with you before we go?
Yes. Think, think, think.
Oh yes, you're right. Absolutely. We have to say thank you to FourSys who are supporting the show this week and they've got a fantastic offer for Smashing Security listeners.
If you go to foursys.co.uk/toolkit, you can download their pack which gives you everything you need to raise awareness about computer security issues inside your organization and train your staff.
Do you remember the URL, Carole?
If you go to foursys.co.uk/toolkit, you can download their pack which gives you everything you need to raise awareness about computer security issues inside your organization and train your staff.
Do you remember the URL, Carole?
Yes. Foursys.co.uk/toolkit. How do you spell FourSys? F-O-U-R-S-Y-S.
Very good. Bye. I should charge for the jingle.
If they do release the hacking code and exploits, that may be a good thing for us security professionals – bags more work! ;-)
You're short of work?
This story made me wonder–aren't microphones and speakers pretty much the same, just with the signal going opposite ways, and therefore if you could hack into any TV with an internet connection (and USB port), couldn't you theoretically make it do the same using the speakers instead?
I'm sure if it were possible this would have come up before someone thought it was a good idea to add microphones, though.
You don't need an USB stick to install "Weeping Angel"!!!! Get you facts right before you start criticizing some one else to be sloppy with facts!
All you need to do to install "weeping angel" is to hack the TV, which can be done easily depending on how well the security is setup at that specific home, what services that are running on it and how sloppy the home user is with IT-security over all (no firewalls, default passwords, admin access to all users etc…).
When you "are in" all you need to do is to remotely mount an ISO file (or download) with Weeping Angels on it and are then ready to go. No need for physical break in at all.
Hi Bo
My reading of the leaked file ( https://wikileaks.org/ciav7p1/cms/page_12353643.html ) was that the "current" method they had for installation was via USB, and that a Samsung firmware update had already prevented that vector.
I haven't seen any claims in the documents that researchers had managed to install the code remotely.