Smashing Security podcast #002: ‘Invest in carrier pigeons’

Smashing Security, Episode 002, Invest in Carrier Pigeons, with Carole Theriault, Vanja Svajcer and Graham Cluley. Hello, hello, and welcome to Episode 2 of Smashing Security. Well, Carole, what are you smirking at at that point? I'm just trying to be upbeat. You said... It's only because it's smashing.

You'll see, guys, Graham is standing up, right? And Graham does a lot of stage presenting. So that's what's going on here. He's presenting.

Let's go. Let's do this. You said make it dynamic this time. I don't think I've ever said that. Put in lots of, because we want to be finished within about 20 minutes. Do you think we're going to do it? Do you think we're going to do it in 20 minutes? 20 minutes. Let's go. All right. Okay. Episode two is 5th of January, 2017. And we have brought, each of us has brought to the table a story that we've uncovered from the world of computer security this week. We don't reveal to each other what the story is until we actually meet here right now in the chat. So we can now see it. He's lying. He's

lying. He's lying. He's lying. He's totally lying. I don't know why he's lying, but I want, I just want, I want authenticity. I want transparency. Graham is lying.

Okay, carry on. Story number uno, number one is friend of the show, Donald Trump. He's between jobs at the moment, so he wasn't able to make it onto the podcast today. But he has been talking about computer security. In fact, on New Year's Eve, he was accosted by one of those evil journalist types who asked him, so what's all this about the hacking and Russians hacking into America and into the Democratic Party and all these kind of things? And Donald is not shy of an opinion and he said some surprising things he said that no computer is safe and that it's very hard to prove that a hack is linked to a particular country he said so

he's been well advised by his advisors it seems

well I completely agree I mean that was the surprising thing I thought actually you know what you're right what computers are safe in this day and age from internet attack and from hackers and from malware There's the old joke of don't plug in your computer and then you're pretty safe you know don't look at this whoa are

you saying then that you don't believe the CIA is right and it's pointing the finger at Russia

oh well that's different okay so I do think it's probable that the Russians were behind the hack which hit the Democratic Party. I think there's a number of reasons to believe that that's the most likely. However, proving it 100% is extraordinarily difficult. What we do know is that they were effectively hacked via a phishing attack. That was the primary method that gave them access to the email archive. But this is the other thing. How do you keep the information safe? Well, the journalist asked Donald Trump that as well. And this is what he said. He said, you want something to really go without detection, write it out, and have it sent by courier. He didn't say carrier pigeon, although that presumably is an option as well. But what he's saying is, you want to keep a secret, don't put it on a computer. And yeah, that is going to stop

it from being hacked. As you know, carrier pigeons were successfully used in the Second World War. Yes, they were. Intelligence. That's right. Yes, they were. Of course, the couriers, a few thousand years ago, even in the recent wars, they were used. But whether they're safe, that's a different question. It depends on the cipher you're using. Right,

exactly. If you're using a Caesar cipher or a ROT13 or something like that, that is not going to be as secure as using OpenPGP or GPG to securely encrypt your messages and have some certainty as to who can open it, who can unlock it and decrypt it. But even then, if you send an encrypted message, if the endpoint, if the other computer you're communicating with is compromised in some fashion, a hacker could still see the message, right? Well,

absolutely. I mean, that's the most of the recent Trojans and recent attacks have installed Trojans, which would actually allow remote attacker to exactly see what you're doing and record all this data and export it.

Right, it's sort of par for the course these days for hackers when they infect your computer. Their malware is not only going to be able to access any file on your hard drive, but it has the ability to take over your webcam, to log what's happening on your screen, take remote control of your keyboard, grab your keystrokes and all kinds of other shenanigans as well.

Do you not think, though, sorry, I know we ought to move on, but don't you think, though, that social engineering is playing a much bigger part in malware than it used to? So we're much more reliant now on things like phishing emails or social engineering attacks where you're trying to dupe someone into providing you an access point to get in to get the information you need to hold it for ransom or for whatever your end game is.

I think the truth is that the weakness is where it always was. You know, thousands of years ago, the weakness was primarily a human one. It was either going to be someone who was corrupt, who you gave your message to, who you trusted to transport across the plains of, you know, wherever to get to the end point. Or there was someone at the other end who dressed up as the king and said, hey, man, I'm the king. Why didn't you give me the message so that I can read it? That wasn't meant to be an Elvis impression. I love how you started bouncing around.

You started bouncing when he was the king. There's obviously a sister. Hey,

Graham wants to be the king so bad. But those sort of threats. I mean, I think the surprising thing is that some of these attacks can be perpetrated by 14 year olds. They don't need enormous sophistication because just the simple attacks like phishing really work. And they are going to carry on working for hundreds and hundreds of years because it ultimately is exploiting a weakness in people. And that's what happened in the Democratic Party.

So what we're saying then...

Online is not dodgy or wrong or going to lead you down a bad path and

Invest in carrier pigeons yeah okay something like that but what so I mean in summary with this particular story and there's been some absurd stories in the press and there's been some poor communication and all sorts of things like this. My personal belief is, do I think it was the Russians? Yeah, I probably do. I think they had the motivation and they were attacking other military and government officials. And so I suspect it wasn't a 14 year old who was behind that particular attack. I think that's likely, but proving it 100%, really, really difficult. Attributing an attack, confirming it's even state sponsored, let alone which state might have done it. Really, really hard.

It's very hard. I often think of how some of the best companies that work with the government actually are able to attribute some of the attacks. And I think the answer is looking at these sort of historical campaigns over the years. What kind of malware are they using? What sort of infrastructure command and control server, encryption algorithms, encryption key, everything that's repeated you can attribute to an actor A. So how do you now jump from, you know, this is an actor A to this is a Russian intelligence? It's a different question. So I wonder whether the kind of American intelligence services are not telling us everything.

Well, and they may have information which they don't feel comfortable sharing. For instance, they may have people on the inside in other countries who are feeding back information, which they cannot. I don't want to compromise your sources. They're stuck between a rock and a hard place, basically. But it is kind of weird to

Watch the president-elect and CIA basically not trust each other publicly in the media. It's kind of eek. You bet

That's going to change pretty quickly. Oh, yeah, they're going to completely trust and rely on each other. I think we're going to enter a state of utter normality in the Trump presidency. So make the most of it while you can, Carole, because things are going to dramatically calm down and everything's going to be wonderful. Don't worry about that. So let's

Move on. What have you got? Okay, the second story for today is quite related to what Graham was talking about. And it's about the same group of actors that computer security company CrowdStrike is calling APT28. And the new piece of malware that's been discovered on Android phones in Ukraine. So the different same attackers, different target of the attack. And allegedly there was a software that was used by the Ukrainian D-30 howitzer units to calculate the elevation or the angle of how well they should target and it was actually infiltrated by the same actor who included the code that was among the other things from the phone such as the model of the phone the type of the phone the phone number and so on send the kind of coordinates of the nearest cell tower that the phone was connecting to. Sorry,

What's D-30 howitzer? What is that?

Well, it was actually quite popular in the old Soviet times. It's a 122-millimeter artillery weapon. Oh, so it's for

The army. It's for the army.

So basically, the howitzers are, well, cannons. I don't know how you call them. He's pretending not to know. Well, actually, they have been used in some previous conflicts in my parts of the world as well. And they were like one of the biggest weapons that was used by the former Yugoslav army. I

Love how we always get a history lesson from you, Vanja. I think we need one every week. I love it.

So what we've got here are soldiers in the Ukraine or in Ukraine who are downloading this app in order to help them work out what elevation to have their artillery or something in order to shoot off missiles. Yes. So

From like the minutes to actually the way you have to set up your howitzer to shoot, it will bring the time of targeting to like seconds. And the original application was developed by one of the officers in Ukrainian army and allegedly distributed on Ukrainian military related forums, which to me it sounds a bit. You're assuming those are open forums. They could be closed forums, right? I mean, well, how do you know if somebody who's a member of the forum, you can always pretend to be the author of the app, which is what allegedly has happened. And that app was downloaded 9000 times, the legitimate one. And we don't know how many people use the illegitimate or trojanized version of the app.

We think this malicious Android app, which helps the army fire their cannons and things like this, was leaking information about the location of these weapons, potentially? It seems,

And if you read the report, which was released by CrowdStrike, you could see that they claimed that about 50% of all the army units that had these howitzers were, how they're called, they had lots of them. So, we don't know whether we're using an app or not, but read between the lines. It was implied that, you know, if you're using the app, you'll be easily discovered easier, easily or easier by the opponent forces. God, do you think some

Do you think some people are getting a big talking down to right now, I bet, on this?

Well, if you think about the whole kind of topic of operational security, that was a big fail on the Ukrainian side if it's true that the Russians have managed to infiltrate their app in that sort of way.

So Vanja, as our man in Eastern Europe, do you have any thoughts as to who possibly might be interested in monitoring the location of Ukrainian ornaments? I mean, who would want to do such a thing?

Yeah, I think it's pretty obvious what people are saying is that the Russians may be behind it. However, the guys from the crisis research lab in Hungarian research labs have actually discovered a couple of interesting strings in malware. One of them is, I think it's a variable name or at least value of the variable that has German words or nothing, nichts as a default value. And then there's another misspell of phone standard with a T at the end which, you know, is it kind of Russian spelling, is it German? You know, it's difficult to say. So once again we come to the point that attributing attacks to a particular actor is not an easy thing to do.

Not an easy thing at all. Pretty heavy stuff Carole, what have you got up your yellow sleeve today for us? I've got something much more fun and light so we can end on a cheery note. So I've actually put a title to my topic so note to you too, mine's called "Well, we've come a long way from tinfoil hats."

And there's this project called Hyper Face and this guy Adam Harvey, he's an artist and independent researcher based in Berlin, is handling it slightly differently than others by trying to design things like clothing that basically fools photo recognition software. So imagine a coat that's made of a fabric with a pattern and the pattern basically has faces on it that would be detected by face recognition software. You said faces, did you? Faces, so imagine yeah.

Something like this, you know, were you making a very rude joke?

You have a child, don't you? A five-year-old? Yeah, I think there's a lot of potty talk.

So the whole idea is it kind of confuses it. So you'd wear this out if you didn't want people to take pictures of you and having the camera being able to kind of say, "Oh, that is definitely Graham Cluley, and I'm going to tag that with his social media pictures and find him everywhere on the web" is the idea. Now kind of cool, ridiculous, what are you guys thinking?

Well it reminds me of something that we did a long time ago in some of our previous lives, the April Fools joke which we did. We actually claimed that we developed technology that can detect hacker, all the bad guys simply by recording your photo, the way you look, and this is the counter that.

It was when you wore a baseball cap or something like that, or if you had facial hair like Vanja does, it must be a link.

Facial hair was almost instantly unrecognizable.

Yeah, we'll put a link in so people can see it because that's ages old but that's great fun. Now this guy, let me just finish this because there's some great stuff here. So this guy has done other projects, one called Camo Flash which would be a purse with an electronic device that reacts to a camera's flash. So with light, so when the light hits, it basically shines back and it makes your face look like a halo of light. So it's all kind of stealth wear. He has anti-drone scarves meant to be worn over your head and it kind of subverts thermal vision surveillance from military drones. So it's useful fashion.

So you either flash somebody or just hit them in the face. That's what they would do in creation.

I don't know if you noticed this, but we just lost Graham. Graham. No one noticed, no one noticed, no one noticed. You're back.

I'm back anyway, it wasn't — I was bored Carole, it wasn't — it was my dog so I had to disappear. For those people just listening not seeing the pictures, I had to go to the front door because the dog wanted to get out. Yeah but it's all right now anyway. So what my question is this: why wouldn't someone just wear a balaclava or a wide brimmed hat or some spangly sunglasses?

Yeah, I think they do. I think this guy is giving, you know, he's an artist. He's also commenting on it, but he's also raising the issue of look, privacy is something that we — I don't think we take for granted today. I think we're fighting tooth and nail, many of us, to try and keep a hold of some level of privacy, because somehow it feels like a human right to me anyway. But I don't know if the next generations are going to feel the same, if they're just going to be able, you know, for convenience sake of having a phone or having a smartwatch or having all these gadgets, are we giving up something much more precious? And I think that's what he's bringing to the fore, right? That's what he's bringing us to discuss and to think about, which is good.

Well, there are many people actually thinking about privacy, but I'm afraid this is a losing battle because most of the people really like their convenience of having the phone, having the information, posting it anywhere, posting it on Facebook. They don't really care or they don't really mind that this information is actually collected and it's used for commercial and potentially for any other kind of surveillance type purposes. So yeah, I don't know. There will always be people who will be very privacy conscious and they'll be, let's say, protected or at least they'll think they're protected. But majority of people will be kind of exposed to what we have now.

We're all around the same age, but you remember when the door closed when we were kids, right? It was like utter privacy in the house, right? There was no way unless someone had a camera and they'd maybe get it developed a month later. There didn't be any evidence of it. And now we all have cameras everywhere and voice recorders, and we put them in our homes liberally.

We don't even have a room for it. Some people are even streaming their podcast chats live on YouTube. How insane is that? And then the dog wants to get out the front door. Nuts, what we're revealing here you'd never have noticed if you hadn't been watching. We are just about running out of time. Very quickly let's have some feedback on last week's show. It was our first ever episode and we were talking about the challenge of providing technical support to our friends and families over the holiday season and managing elderly relatives' passwords. Thanks to everybody who gave us some feedback on the show. We're glad some of you enjoyed it anyway, including Juliet Spensley who sent a message saying "hilarious, absolute comedy gold, please post more." She must have been watching some Jimmy Kimmel or something like that rather than us. But she carries on to say "I share your sentiments about your elderly parents and in-laws. My mum is 80 and she wants an iPad," and she's a really sensible type of computer to get an elderly parent - not too much tech support and no real risk of getting any malware on it. Yeah, even my mother-in-law has an iPad and she knows how to use it so it's pretty good. Well, Juliet's mum wants to FaceTime her mother in Australia who is 104. So well done Australian mum, grandmom over there, that's very impressive indeed. Who else have we got in the list?

And then we have David Lavec who wrote more about security of the passwords and he says "I both write down passwords and finally install KeePass 2 for Android, which is free and open source." So this is like both physical security and sort of digital security. And it could be actually, you know, having the best to have both. And I don't know, there are a few other people who also commented on the same idea of actually writing down the password. And this is actually, you know, it's not necessarily bad.

It's not necessarily bad, but there are challenges involved. And that's one thing to remember, because if you are, for instance, away from your home and you need your password, you're away working, then having them written down in a book back home is no use at all, is it? It's handier if you can access them on your computer in some ways. And there's a risk, of course, if you do take your password book with you, that it might get stolen. So you know, horses for courses. But most important thing, have secure passwords, make them unique. And that's what people need to do. Well we're about to wrap up. Very quickly, who had the least tedious story this week? Me, me.

Maybe the listeners should decide, not us.

Oh that's a good idea, maybe they could leave a comment.

Yeah, say "Carole, that was a very amazing story, well done Carole."

Well done Carole. Well done Carole. Alright, we'll find out next week who was the best. Carole, Carole.

Isn't that what they do on the X Factor shows?

Yes, yes. Well, that just about wraps it up. Thank you, everybody, for tuning in and the kind words and even the grumpy words as well. We appreciate all of them. If you've got any thoughts, things that you think we should be talking about, get in touch with us. Our Twitter is at Smashing Security. That's smashing without a G security. So until next time, cheerio. Bye-bye. Bye. Bye. Thank you.