Smashing Security podcast #004: ‘You don’t mess with Brian Krebs’

Smashing Security. Did I call it something different just then?

I'm not really sure. I'm not sure why you can't remember it's four. It's not like it's 480, is it?

I was thinking for a second. When you reach a certain age, it's a bit difficult to remember. Three, four.

Funny that you should say that, Vanja, because a little birdie told me that you've got maybe a special day of the year coming up very, very soon. I won't comment anything.

No, there is a birthday that's around this time. Vanja, I have your birthday present here. No, yes, look. And I'm thinking I should maybe open it on air.

Could you describe those people who are listening? No, no, no, no. Give us a commentary.

Yes, but we haven't opened it yet, right? So Vanja, we could open it on air. Come on, so we're gonna do this. I'm going to do it on your behalf. I ordered this for you in person and they sent it to me by mail. Okay, the t-shirt. And I'm unfolding.

Look, and it has a yellow.

Goat. It's gorgeous, isn't it? I got one for me too, but mine's in red.

Yep, it goes well with my whatever zodiac sign.

Oh, does it? Yeah, anyway, there you are. I will send that to you. Happy birthday. Thank you very much, it's great, I love it. How old are you now, 50?

Let's say below 70, which is pretty obvious. Well, well, well done guys. Nice one, Carole, and congratulations to our very own Greybeard who is celebrating his birthday of indeterminate age round about maybe around now. We're not going to be specific because this is a security podcast, of course. And number one topic that we're going to discuss with you today is to do, of course, with security. And it's to do with a piece of ransomware, a piece of ransomware called Spora, which has been spotted by computer security researchers which is doing something rather different from the traditional ransomware. I mean, any restore is pretty difficult. There are a couple of other interesting things about this particular ransomware. One is that it actually takes, as it encrypts your drive, it basically records how many different files of file types have been encrypted. And based on that, it seems that it actually offers how much money you need to pay to restore your files, which seems to be if you have a lot of documents, you'll have to pay more. If you have a smaller number of documents, you have to pay less, which is very interesting.

It's not by file type, though. It looks at the certain file types and then it sends a particular string where you send. Because the way it works is it doesn't really require a command control server to be online. You don't need to be connected to internet to actually encrypt the whole drive. And when you upload that

to decrypt your files, then when the guys can actually decide, there can be a script on the server side that says, well, if you had 100 documents, then it's 50 bucks. If you had two more.

I'm wondering, though, I mean, I'm guessing most companies particularly and even users would have a lot more than 100 files, right?

Oh, yeah, definitely. The next step is probably to see what are the file names and then based on the keywords in the file names or maybe even the content you go with, oh, this might be very important. Therefore, people will be willing to pay more for having their files decrypted.

And the fact of the matter is there's no point asking a home user for $10,000 for the restoration of the files, right? But if they manage to encrypt a large number of files, chances are that could be a corporation, for instance, could be that they've infected. And those are people you can ask that money for. The other interesting thing I thought about this Spora ransomware is the way in which it spreads because it has worm-like characteristics. It can spread by USB sticks, for instance. And it seems like a real determined effort here to infect as many computers as possible, but not necessarily using the traditional techniques to do it.

And it's interesting, the whole restore two files for free, that must be in response to a number of pieces of ransomware last year that basically locked your files, but then actually didn't decrypt them or didn't have the facility to decrypt them even after they received payment from the victim.

Right. So if you've been disappointed by previous ransomware infections where you didn't get your money's worth and you couldn't get your files back. Exactly. Don't worry. We're the professionals. We can get your files back this way.

I think it's quite common that they allow you to upload one or two files to show that they can actually decrypt the files.

But also this whole buying immunity feels a bit like mafioso protection money, doesn't it?

Yeah. Give us money, otherwise we're going to be back with the baseball bats, all right?

I'm so embarrassed being North American hearing you do that. That wasn't North American.

Well, with viruses and with malware, the typical scenario is actually completely different. You don't pay. I mean, most of the malware is trying to remove all the other malware families from the computer only to make sure they have the access to the system, while this is a completely different thing if you pay. So there's obviously value in not being infected by any piece of malware. But it's interesting how ransomware is evolving though. They are using different tricks to try and maximize the amount of money. We saw for instance last month the Popcorn Time ransomware which says yes you can pay, normal sort of let's do business that way, but it also says we can be a bit nasty if you like. If you spread some affiliate links for us and manage to infect other people and get them to pay up, then you can get your files decrypted for free. And last week we talked about databases being potentially encrypted. And I actually read this week that not just MongoDB, but CouchDB and Hadoop and some other database management system typically used for big data products or big data projects have been affected in a similar way.

Right. And if a corporate database is hijacked, if you haven't got a proper recovery mechanism for getting that data back, you may well be prepared to pay a large amount of money in order to get your business back up and running again. So watch out for Spora, people. And there's some good articles from the likes of GData and Bleeping Computer if you want to know more about that. Daniel, what's caught your eye?

Well, I think, for me at least, the most interesting story of this week was done by Brian Krebs. He did another great piece on Mirai Botnet and who's the real identity of the person who stands behind the Mirai Botnet. So just to kind of remind everybody, Mirai Botnet became pretty famous in September when it launched a huge denial of service attacks on Brian Krebs' website. And about a month after that, they also started a big denial of service attack on a DNS provider called Dyn. And Dyn was also used by many sites like PayPal, Spotify. There are actually quite a lot of services on US East Coast which were affected. So the interesting thing about Mirai Botnet is it's one of those Internet of Things botnets. It tries to find vulnerable personal video cameras and routers and infects it and then is used to launch denial of service attacks on any kind of server. So the story that was published by Brian Krebs today, I think, or the day before, maybe it was yesterday, is around who was the creator. And it turns out that the creators of Botnet actually own the company that's an anti-denial of service attack company.

No way.

And it's kind of very weird.

No way.

So the young guys who are obviously pretty skillful in doing what they're doing, they started as many kids do. They set up their own Minecraft server, but it's often that when you set up your own Minecraft server that the server comes under denial of service attacks and they saw there is a niche and they started providing protection against denials of service attacks for Minecraft servers. So they started doing DDoS attacks on other servers so that they can start basically using their own protection, which is Kind of weird. Wow, and it's extraordinary reading Brian's report. And Brian Krebs has always been an incredible reporter on the cybercrime front, and everyone should follow his blog and see what he's talking about. He clearly put an enormous amount of effort over many months investigating this particular group, especially after he himself was attacked.

Okay, okay, but can we just go off piece for a second? So my niece who's eight loves Minecraft as well, you know, and we often play together. I really don't get it. I don't know, I try to get it but I really don't understand. Thinking how amazing graphics are today, why this simple... how does it work? It boggles.

I don't get it, but then I don't get Teletubbies either, so.

Isn't it like Lego, right? Lego is a toy which has been around for maybe 50 years, I'm not sure, but Lego is sort of...

For those of you out there who haven't heard about Lego.

But I'm gonna tell you it's bloody brilliant, right? And I think Minecraft is basically Lego because you have that ability to build buildings and incredible worlds in Minecraft.

But she doesn't Lego, just saying. Doesn't Lego. Her brother does, she doesn't it.

Well maybe she doesn't it because her brother s it.

Oh, okay. Yeah, maybe, maybe.

Yeah, right. Anyway, okay, great piece of research and well worth the read. Yeah, great.

Fascinating story. And allegedly the guy who's behind it is now, he ran away from the law enforcement agencies and he's hiding somewhere in some unknown country. So he obviously realized that his real identity was discovered.

You don't mess with Brian Krebs. And also be very careful, that's the title, that's our title of our show, okay? But you know, also you've got to be really careful about the information which you leave about yourself online. One of the things which has helped piece together this story has been the reuse of usernames and interesting in anime and things that. Sorry, did I say anime? But it's things that which begin to piece together personalities. And you go and say, oh, okay, interesting that he's described his interest in programming languages here. And it's identical to this guy here. And the pieces of the jigsaw begin to go together a bit Lego.

The article shows just how difficult it is to connect all the dots and actually find out. And it's also very difficult to hide, I mean, in the end. If you reuse things on the internet, sooner or later, people will connect the dots. And there are tools and there are ways of doing it.

So, Carole, what caught your eye?

So, let's think for a second about all the services we depend upon at work. So you've got your, or even at school, right? You've got your email, your data storage, websites, forums, all these kind of services that you have available that you depend on. And most companies or organizations are going to block or protect them from outside attack. OK, that we take that for granted. Question is whether people are protecting these services from inside attacks. So this I take the story I saw. I saw the story on the register this morning. So this is about an IT admin named Triana Williams, who was fired from a U.S.-based online college called the American College of Education or ACE. Now, what led to his dismissal is kind of complicated and there's complaints and lawsuits on both sides. So I would recommend if you guys want to read about it, Google his name, you'll find it. There's a number of articles in the register, NBC News, USA Today, etc. The upshot that I wanted to focus on, though, is that Mr. Williams left his job and he was not happy about being forced to leave his job. So as he leaves, he basically ends up taking the keys to the college's Google email kingdom. OK, so basically it's an online college. People have accounts on this Google service and email account. Two thousand students. Turns out the laptop is the only place that the password was auto saved. Whether he knew the actual password or not is up for debate, according to what I've read. No, no, there's evidence on both sides. But that was the only place. Now, so he's dismissed. You have someone who's come in and been the administrator. He is using Google. Everything's working fine. And then Google says, put in your password, please. And they attempt a password and it blocks them. They try again and they eventually get locked out of Google. So what do they do? They contact Google. Google says, sorry, can't help you. This is in Mr. Williams' personal email address. That's the admin for this Google account. So, right? Right? Now, I think, so, okay, so first thing is, you know, do, how many companies are actually exposed to this? And I think we could basically admit, at least me and one person on this podcast, admit to using personal addresses for work accounts simply because it's easier. You know, so I have done that in the past, but I've never actually been an IT admin responsible for all of email. So I don't know. Are you surprised by this, guys? Do you think it's surprising that he would have ended up using his personal email address as the admin for the Google or that he didn't get caught, that no one at the school knew?

I don't think it's surprising. I'm sure this goes on all the time. And I think typically schools and colleges don't have an enormous amount of resource in terms of IT security. And there's not going to be an awful lot of oversight if he was a. I mean, he was in the IT department. I imagine there may not have been very many people above him. And so, you know, he was just doing his job, wasn't he, as far as he's concerned and using his. So he used his personal email address to set up basically the corporation, the organizations.

I don't think he set up. I think, yes, but he, yes, he basically was basically assigned the admin, the password. And what's even more interesting is that, of course, after they failed with Google, that Google wouldn't give them access, they contacted Mr. Williams. But, of course, I don't think they were on the best of terms. And he said he'd be happy, this is a quote from Richard, he'd be happy to unlock the Google email account if the ACE gave him 200K to settle his dispute over the termination of his employment. So that is really the reason why I chose the story, because is that a kind of insider ransomware attack, basically holding the keys that came in for ransom?

Certainly some people might think it's a little bit like extortion, mightn't they? Right. Even if he even if he does have a case and I can understand he might feel that he's miffed and maybe that he hadn't been given the compensation he was expecting when he leaves. But I heard he did – it was on his work laptop, right? So he could have returned the work laptop. Yeah, right. He did return the work laptop, but he wiped it completely before he returned it.

Which is one of the best security practices to wipe your laptop when you return it. Of course.

Right? So did he have knowledge or was he doing this to stir the pot? I don't know. So the reason I wanted to bring this up is I suspect there's a number of organizations that are probably in this situation, whether it is someone has a kind of malicious intent or, you know, being a bit, or someone's trying to do it just because it's easier for them or because they don't know better. Right. So a way to basically don't want to make you want to make sure that no one has the keys to the, you know, to the kingdom. So there's a few things. This is from Cybrary IT. It's a great free security training course. You can learn everything there if you take time. There's lots of great information. But the three good tips I grabbed from them is introduce job rotation in the company. So make sure that once someone has maybe done two months or four months or six months in one role, you move them to another role. And that way it stops proprietary behavior over services or over apps or over particular projects. Mandatory vacations. This is really interesting. So you basically effectively ban people from using email, work email, or services or network whilst they're on holiday and that way things can bubble up if there's problems because if they're not there you should have no stop person should be, you know, stop everything from working.

Oh that's clever so that's a good way of yeah it's almost like a dress rehearsal for if you did get run over by a bus or if you did get fired by the company we'll find out the problem now when you're on holiday in Tenerife but you'll be back in a week or so and then we can that's yeah that's interesting yeah so go ahead.

If you have somebody internally who's doing something illegal in the company then it's quite possible that if you stop their access this practice will also stop so you will be able to see there's some kind of anomaly or that some kind of anomaly stop and you know you'll find out who is doing something which is, you know, a good thing. The concept that was presented by the way they put it in Cybrary is basically everybody should be able to leave the office for five days without undue impact to the business. So I think that makes a lot of sense.

It sounds a little bit like launching nukes from the silo. Yeah, nuclear missile. Exactly.

It's true. But there's something to be said. If you really value something, right? If this asset is business critical, doesn't it make sense to do what you can to protect it?

Absolutely. For smaller companies, it's much more difficult to do because for some critical roles, such as IT admin, you can only have one or two people. So you need to be able to divide all the duties between two of them, which most of the time won't be possible. In bigger companies, it's going to be easier.

Yeah, I would agree with that. And I think maybe you're right. This is more of a medium to large business.

So you shouldn't be a network administrator and you shouldn't be the same guy who monitors the logs of what happened.

Exactly, exactly, exactly. Well, some interesting food for thought there. And if anyone else has got some ideas on how to deal with those sort of situations, maybe it's happening inside your own organizations, do leave us a comment or let us know. You can tweet us at Smashing Security. That's smash in without a G, security. doesn't mean professional. Maybe he means better quality, right? We don't want to be too professional. There's a lot of corporate people out there. I don't think we could be. I don't

think we could be too professional, Carole. I don't think we have to worry too much for that. But it would always be nice to have better video and audio quality, and it's something we're keen to do. Regarding OBS, we did actually – do you remember in the rehearsals before Christmas, we did play around with OBS a little bit, although we didn't publish anything. And our computers – It almost worked. It so almost worked, but not quite and it gave the image of us attempting to be slick and failing massively whereas maybe we're more comfortable just not even attempting to be slick so maybe in the future if we can work it out if anyone's got any tips on that we'd love to hear them. Daniel do you want to take the next piece of feedback I love

the next comment actually Paul Mark says another doll's house ordered thanks guys so you know we talked about Alexa and how you should secure it and obviously as we were speaking Paul got another

dollhouse when you say we were speaking it was specifically you who ordered the doll's house during the podcast I just want to point that out to everybody if they're trying to well I do apologize for that and I hope that I'm going to be contacted by the manufacturer of the dollhouse sooner or later to thank me for the contribution to their revenue.

I've got one here from AKW144 saying, love the concept, well delivered, look forward to its release every Thursday. So no pressure that we get this out every Thursday. It's good. Actually, you know what? So far, so good.

You are so Jeremy Clarkson. Well,

I was trying to work this out, actually. He's not on Top

Gear anymore, is he? Isn't Top Gear? The Grand Tour, but everyone calls it Top Gear still, don't they, because it's basically the same show. So if we were Top Gear, Carole, I think you would be that little hamster guy, right? Thanks.

I'll be the big guy. Not the Clarkson, Jeremy. Graham, you'll be the Clarkson. Do I have

to be Clarkson? I am very unfamiliar. All I know is that I don't even know anything about Top Gear. So there you are.

Okay, so I'm the one who Vanja has said is a little bit racist. Well, that's nice, isn't it? Well, we do have big news, everybody. And maybe some of you already know this. But since we last issued an episode of Smashing Security, we have debuted on iTunes. Yes, we've launched ourselves as an audio podcast, not just on iTunes, but on Google Play Music, Stitcher, Overcast, other podcast apps are available. Go searching for us if you want to hear us. Please do check us out, subscribe, and leave a review on iTunes. It really makes a huge difference. I've been asking everybody to leave reviews. I've been cornering wife, family, dog, telling them for goodness sake. Frankly, the response has been disappointing. I don't know how it's been for you guys. Have you been similarly haranguing people? Absolutely.

Yes, yes, we have. We have. We have. I don't think we need to harass anyone. I think people are going to leave comments if they like it, and that's what matters.

Oh, you're just wonderful, Carole, aren't you? You're just so nice.

I'm preparing to write a review, but I'll just say that this is a review for Graham and Carole, not on myself.

Graham and Carole say it was all right. But to be honest, that Vanja guy was the best. We'll be able to recognize which one you write, Vanja. But anyway, welcome to all of our new listeners, to the audio version. If you haven't yet checked it out, go to smashinsecurity.com and you can find links to all the relevant places, including iTunes up there. Well, that just about wraps it up. Thanks for tuning in once again. If you'd like to show, tell your friends, maybe follow us on Twitter at smashin. I-N security, smashing without a G. And we will try and keep you informed as to the latest computer story news and stuff. Any last words, Carole?

Yeah, I promise everyone out there that I'll ensure that his opening and closing statements are much shorter for future podcasts. That's a solemn promise.

Well, thank you very much, Richard Hammond, for that comment. And on that bombshell, good night. Bye.