Smashing Security podcast #005: ‘Upskirt insecurity’

Smashing Security, Episode 005, Upskirt Insecurity, with Carole Theriault, Vanja Svajcer and Graham Cluley. Hello everybody and welcome to Smashing Security Episode 5 for the 26th of January 2017. As always I'm joined by my buddies Carole Theriault and Vanja Svajcer. Hi guys, how are you doing?

Really good mood. I've had a rough January in terms of amount of work. I've been working a lot and I'm getting a little bit of breathing space now so it's quite nice. Fantastic, fantastic. So no work... well, there's no end to work, is there, when it comes to computer security and things like that. There's always new things happening and stories cropping up.

Well, my story for this week is around an arrest that happened in Barcelona in Spain. The alleged author of Vawtrak, Neverquest, Banking Trojan, 32-year-old Stanislav Lysov, a Russian citizen who was detained on 30th of January by the police when he was returning the rental vehicle to Barcelona airport. The Trojan that he supposedly created is one of the banking Trojans that tries to create... basically intercept all the banking transactions and create a new fraudulent transaction and steal money from people's accounts as well. It steals some additional data such as logins and passwords from Facebook, Twitter and basically has been around from 2013. It's been quite a significant banking Trojan and I'm guessing the guy, Stanislav, he was the main creator of it, actually had quite a good source of income from this.

And if he really is the author of Vawtrak, this is quite significant, isn't it? Because it wasn't just banking accounts, as you mentioned, that it was trying to steal passwords for, but all manner of other online accounts which could have fallen into the hands of criminals because there was this piece of malware sitting in the background, scooping them up from your drive, and as you typed them into websites, etc. I mean, it was quite prevalent, this one, wasn't it?

Yeah, it was a well-created piece of malware that, apart from stealing the data, also tried to find out new sources or new targets to attack, new banks. If you were infected with this piece of malware and you visited your banking website and you had the malware, it would look for a word such as international banking number or account number or something like that. And if it finds it and it wasn't on its list of targets, then it would actually download the whole page so it can create its own, they call them web injects. So once the next time you visited the page and the page was on the list of targeted pages, then this piece of code would be inserted to create those kind of fraudulent transactions. So they kind of used it for collection information, but also for stealing and creating fraudulent transactions.

And do we know how this guy got caught? So what, he was in his car, returning the car to the airport in Barcelona?

Yeah, well, basically, it was pretty interesting. It seems that the actual investigation started sometimes in 2014. And his arrest was actually requested by FBI, and the international arrest warrant was issued by Interpol. So it seems there's quite a good cooperation between FBI and Interpol. Of course, some of the Russian organizations are saying that the Russian Federation and legal entities, they should have been warned before the arrest happened. So they don't really call it the kidnapping, but it's kind of... it's interesting, this sort of dynamics between East and West as usual.

Well so I read between the lines one has to wonder whether the authorities in the west might have thought that Russia wasn't doing enough to apprehend this guy if western authorities knew his identity and wanted to speak to him about this particular piece of malware.

Well especially because we heard that the Russian secret service is recruiting kind of hackers and malware writers, so it could have been connected with this sort of increased activity that we heard over hacking of the Democratic National Convention and some of the other Western organizations allegedly by the Russian Secret Service. Oh Vanja, are you going to perpetuate this myth that the Russians might have had an interest in affecting the US election and would have been hacking political parties rather than some 14 year old?

What? Yes. And this news broke in all places on the New York Times video Twitter feed.

It's a business model. And it's one of those things, like when we were in antivirus industry, when you come and talk to people, they go, oh, yes, of course. So you create malware first and then you sell us the cure. It's kind of the next step after ransomware, right? Why not expand that and use it as kind of ways to extort money out of companies? Well, easy to run so because you have these penetration testing, obviously penetration tests are authorized, but sometimes penetration testers go and do some initial... great hacking? So I don't want to condone, obviously, this hack in any way, because I don't think you should hack into things without people's permission. But I can kind of understand it in a way. Like with kind of vulnerability disclosures and some companies, including Google, have this 90 day policy when they actually they kind of inform people they have vulnerability. If they don't respond by 90 days, they kind of disclose all the details, all the technical details of the vulnerability. Now, The New York Times isn't the only Twitter account which is claiming they had some unauthorized usage in the last few days. There was the Badlands National Park Service who started tweeting facts about climate change, which got a lot of attention up on Twitter the other day until it was mysteriously silenced.

The former employee or have they kind of gone from the organization and then tweeted or have they actually tweeted and then have to...

We don't know. The official statement is Very ambiguous. They're certainly a former employee now. And my guess is, you know, maybe this is what caused them to become a former employee.

Well, if there were truly former employees that did something deliberately, I think one of the good practices is never to share accounts if possible.

But you know what? I bet you a lot of companies do that because they're probably buying one account for a single user if they're a small business and they're sharing it amongst, you know, the maybe five, ten employees within the company. Yeah, I think even at some of my previous work, we actually had administrator accounts that we shared. We knew the password. And Twitter doesn't really handle this quite as well as it should. I don't think it's really embraced this sort of the requirement of brands to use Twitter as a communications mechanism and making it easy for multiple staff to update and yet maintain security.

Yeah, absolutely. And Twitter should do something about it because it really is a way of, you know, there could be one account and there could be many people behind those accounts.

I'm going to predict right now that that's going to happen in the next four years. I'm just going to lay it out there.

Well, Donald Trump has been Twitter hacked before.

But not since he's been in, you know. No, no, no. He's been in power now for a few days and he's doing jolly well. Obviously, his passport policy is sound now. Okay, so do you guys know the term upskirting? Because this was not a term I was familiar with at all.

No. So this is a data leak story, and it involves a porn site. So this is a test to see where you guys hang out in your off hours.

So what's upskirting? Sorry, climbing stairs?

Well, so if a woman, for example, is wearing a skirt and climbing stairs, you may want to grab a picture.

Well, clearly, you take one of those selfie sticks and you don't use them just to take selfies.

Well, quite.

Or you put mirrors on the end of your hobnail boots. That's the other way I heard it. I read that somewhere. You would do something that, Graham. When I was researching this story, I think I saw.

It's interesting that people are actually using their real names and real addresses as well as some people are actually using work email addresses, which is completely weird. And we had a little bit of an investigation at some of my jobs. Oh, right. Okay. I mean, I agree. It's crazy not to use basically a burner email address, right, for these sort of sites.

Yeah, maybe.

But surely your email at work is name.surname or something along those lines.

Yeah, I mean, did you say 180,000 members were on this? And how much do they pay every month? $20?

A month to have their data published online it seems. $20? Well actually that's a good point, you know what, you're making a good point because people are paying, they do have to provide the right information. No financial data was stolen but you probably need to have a very legitimate bonafide email address that you regularly check.

Sorry, I'm moving away from security for a moment because I'm fascinated by this, they're making millions, whoever runs this site. I mean obviously there'll be server charges and things like that, they're making millions every month.

Yeah. Well, again, we don't know if this is all active members now. We don't know that. But still, yeah. Okay. You know, doing the math certainly suggests a lot of ka-ching, doesn't it?

My goodness. Just for seeing pictures of women walking upstairs.

So this story about unsuspecting women, is there like an unsuspecting man as well? Because it reminds me of a story that you, Graham, have. Oh you're not gonna, you can't get me to talk about that. This is a serious security podcast and now you've, now I'm gonna have to talk about it. Okay. I know what you're, just don't you remember many years ago I was at a rather swanky restaurant in Boston, Massachusetts. Okay. And I went to the lavatory or as it's known in America the restroom. Okay.

You may want to check out the site. You may be on. You've been upskirted, Graham. You've been upskirted. You may be on Candid Board. I haven't actually had a chance to look at Candid Board myself. So I don't know if they actually, I don't know if they've serviced men as women.

I think maybe none of us really want to check this out. But I guess the concern is if there are real government and military email addresses in here, and if they actually verified those email addresses, which, of course, Ashley Madison didn't bother to do. But if those are accurate email addresses, there's a potential for blackmail here, isn't there?

And if people use the same passwords. So anyone, you know, this is a good reminder, don't use the same passwords in different places. And for people that are running infrastructure and databases, especially for all databases really, get a risk assessment, do a pen test, find your vulnerabilities.

It's not like they're not making any money. 180,000 members, I use the word with reason, and $20 a month, my goodness.

Yeah, 180,000 is a lot, but can you imagine all the other kind of data breaches that happened in the last year or so? All the LinkedIns and Yahoo obviously, you know there are millions of email addresses and potentially passwords that were leaked. So one thing I can advise people if you are worried that your details may have been leaked in one of these big breaches, there's a great website run by a security researcher called Troy Hunt. Go to his website, it's Have I Been Pwned, which is p-w-n-e-d dot com. You can enter your email address and it'll tell you if any of your details have been there. And it's a good reminder to use different passwords in different places.

You can always count on me. Well, we're heading towards the end of the show but before that, we do have some feedback on previous episodes. If you missed the last episode, episode four, we chatted about Brian Krebs, possibly uncovering the identity of the bad guys behind the Mirai botnet. We also talked about the Spora ransomware, which was trying to make money in unusual ways. And also discussing how we should be more careful about that guy in the IT department and make sure he isn't the only one who knows the company's passwords.

Where he said well was it last week or was it at the beginning of this week?

Oh well Alan goes on how important is it to keep this sort of data secret for security reasons, how important is it to keep your birthday a secret?

Well we often talk about you know stolen identities and things like that and date of birth is one of the information that sometimes being asked by the banks or various institutions to kind of identify yourself. So I think keeping the date of birth relatively secret, though obviously plus minus, it's very easy to find out. Now that we know it's either this week or the week before, there's not that many possibilities.

Yeah, and everyone knows now that you're 52, so yeah.

Exactly, that's the one. So yeah, I mean, it's important to keep it secret, but you know healthy paranoia is good but not too paranoid. I'm not trying to be too paranoid, yeah.

On its own probably not that damaging but it is a potential piece of the jigsaw and obviously if there are sites or services which are verifying you by your date of birth then that is a matter of public record and if someone gets their hands on it they could potentially abuse it.

You've got a great one here. This is from your, is this from your, it says from Graham's dad what so he says, "Graham, I've listened to you and your colleagues wittering on in a seemingly unstructured way. Oh, my goodness. He says, still, I gave you the mandatory five-star review. I had to sign up for an Apple ID to do this. This was rather against my better judgment, as I am not an Apple fan."

No, he's not an Apple fan. It is true to say that I was nagging quite a lot of my family last weekend, saying, "For goodness sake, are you going to leave a review? Are you going to rate the podcast or not? Do you even know what a podcast is?" I had no trouble.

Everyone who I'd show the podcast to loved it and jumped to review it.

You guys are just so much more tech savvy in your families, clearly, than mine. But there you are, my good old dad. Thank you, dad. And I'm wittering on in a seemingly unstructured way.

He did a great, you know, it was a pretty good review. I loved it. Yeah, we have another one as well from Martin Overton, who we know for years. Yes, he says, "Your Twitter name is very apt without the G in it as you're helping to smash in security of products. I love it, guys." I don't get it. I don't get it. Can you explain it to me? Smash in security. Smash in security. Smash. You smash. Yes, smash. In security.

Sorry, Carole, we're keeping you away. That's very good, Martin. All right, then. Very good. Thank you, Martin, for that. Well folks we are now an audio podcast. We did do some video ones but we've had a little bit of trouble recording the video this week so we're just going audio only for this occasion. So if you haven't done so already make sure that you do subscribe to hear us as an mp3 audio podcast in future. We're on iTunes and Google Play and Stitcher and TuneIn and Overcast and all good podcast apps and probably quite a few crummy ones as well. If there's somewhere where you want to see us let us know and we will make sure that we get into their directory too. But we really do appreciate when people leave a review for us. It really makes a big difference because more people get to see us. No they don't get to see us anymore do they? They get to listen to us. So there you are. I think I can't improve upon that. Thanks for listening everybody. If you like the show tell your friends. Follow us on Twitter. We're at Smashing Security. Thanks Martin on Twitter. That's Smashing Without a G Security. Until next time. Thanks, Vanja. Thanks, Carole. Toodaloo. And cheerio, everybody.

Thanks, guys. Toodaloo. Bye. Bye. Thank you.