Smashing Security podcast #011: WikiLeaks and the CIA

Hey Graham.

Hey Carole. Tell me, what is the biggest cybersecurity headache for sysadmins?

Oh, that's easy. It's the users, isn't it? They're the pain.

Exactly. And imagine if you could have a kit that had everything you needed to roll out cybersecurity training to all your users.

That would be fantastic, but I imagine it will cost an awful lot of money.

No, it's completely free. Our friends at Forsys have created this amazing kit, and you can download it for free from their website, Forsys.co.uk slash toolkit. That's Forsys, F-O-U-R-S-Y-S.

You're telling me that if you just go to Forsys.co.uk slash toolkit, you can download this fabulous piece of training material and get your staff up to speed when it comes to computer security.

Bingo. Sounds fabulous. Well, thank you to Forsys for that, and thank you to Forsys as well, because I heard they're actually sponsoring our show this week.

Don't sound surprised, it's a good show.

Smashing Security, Episode 11, WikiLeaks and the CIA, with Carole Theriault and Graham Cluley.

Hello everybody and welcome to another episode of Smashing Security. Smashing Security, Episode 11 for Thursday, the 9th of March 2017. And I'm joined as always by my buddy, Carole.

Hello.

And we've got a special guest with us today, haven't we?

Very special. Who's trying not to snigger in the background.

And if you can't tell already, it is a luminary from the computer security industry, Mr. Paul Ducklin. Hello, Duck.

Hello, chaps. Thanks for having me.

Duck, for those people who don't know you, introduce yourself, explain who you are and why you're here and that sort of thing. Why are you here? No pressure.

Well my name is Paul Ducklin, I work for Sophos where I have worked for many years and most of what I do these days is to write security explanations, issues such as cryptography, malware and so forth for our Naked Security website. What I like to talk about as SECICOYEE, which is security explained so you can actually understand it.

Is this acronym SECICOYEE, is that taking off in a big way at the moment?

It's done about as well unfortunately as VORIWAGOAM, which I know is one of yours, which I still like and I still use and I used it today and I think it's kind of an important thing for security companies to get their heads around.

Voice of reason in a world gone mad, yes.

It's a bit less of the speculation and a

So Carole, what have you been up to since we last recorded?

Well I've actually been playing with the Nintendo Classic Mini. So I got one for my husband because he did me a solid, so I bought him a treat, which is a Nintendo Entertainment System. Do you remember this? It's the old one from 1986, but it's been miniaturized to this palm-sized console.

This is a video game console? From '86?

So it's all the original games. You've got your Donkey Kongs and your Pac-Man.

But it's not a Game Boy, right?

No, no, no. It's a proper console with a little handset.

Hang on. A Game Boy is a proper console?

It is, but it doesn't connect to your TV. It has its own screen, doesn't it?

I think in the modern era that could be considered something of an advantage.

1986, come on. Anyway, it was really fun and I've had a really good time playing with that last night.

So you're having a really pixely time at the moment, it sounds good. It sounds good fun and you know I think it's quite good to experience those kind of games in the old-fashioned way before you go and swap over to the Nintendo Switch and the latest Legend of Zelda and all the super duper graphics you get today. So it sounds a lot of fun. What isn't so much fun of course is some of the stuff which happens in security. Sometimes it's not as smashing as we might like and the hot topic as we're recording this is the fact that WikiLeaks, God bless me, they've published thousands of pages of what appear to be leaked internal CIA documents. Yep, Julian Assange has released what he calls Vault 7. I don't know if there's a Vault 1, 2, 3, 4, 5, where do they come up with these crazy names from, I don't know. But he says it's the largest ever publication of confidential documents on the CIA. Much of it is focused on how the CIA could attack and spy on devices, particularly smartphones and in particular iPhones, which are generally thought to be more secure than Android. Have you guys seen the headlines around this stuff?

bit more of the usable facts that help us all lift our game a bit.

Yeah, and it's likely to really ruffle some Some of the reporting, I think, has probably been quite sloppy, actually. So we saw, for instance, WikiLeaks claim that the CIA can use zero-day vulnerabilities to bypass the encryption of popular chat apps like WhatsApp, Signal, Telegram, and Confide, which is the one which is alleged that the Trump administration or some members of it might have been using to secretly communicate with each other. You know what it's like when there's a big data leak like this, when there's 10,000 documents out? People are out there, they're reading the headlines, they're just reading the summaries and they're throwing out articles as fast as they can. And I think in the coming days, we're going to find out what everything distills down to. But don't you think in this time when we keep on seeing allegations of some of the media being, you know, fake news, dare I say it, that we do need the journalists to do a bit of a better job? I mean, for instance, the New York Times, right, which most of us, I know there are some notable exceptions, respect as an august media organisation. They ended up deleting some of their tweets because they got so carried away with this news. a lot of the stories we've had, not necessarily this one, but in general, when you get a big leak or a big expose of a large number of documents that have a whole history behind them. You're thinking back to Ed Snowden and the Chelsea Manning stuff, is that it's almost as though you end up with headlines that tell the story as it was at some unknown time in the past. And since this story first broke we've seen Apple actually they've come out and said, well, most of these things are already fixed. And I believe they were also talking in some of the documents about alleged zero-day vulnerabilities in antivirus software. From the discussions I've had with some antivirus companies, it sounds like some of those certainly are old issues as well, which may have been resolved some time ago, so people don't have to worry. chance because I remember there were a couple of years ago going to look into this and thinking, well, I wonder what the – I forget what the context was, but it was what versions of Android are in the shops at the moment. And on my way into work, I stopped at a popular mobile phone shop along the way, and I went in and I went straight to the budget table, where you're going to pay $100 or less for your phone.

And every month that goes past the situation's getting worse. I mean just this week we've seen Google there's been another Android security bulletin, scores of vulnerabilities have been patched. So, you know, the operating system has been patched. That's great that Google's done that and they fixed that. But now we've got this challenge of how are we going to get those patches to those users? And like you said, many of them, simply there is no route whatsoever through which they're going to get it. And so they're going to remain vulnerable.

Yes, and if you're going to buy that $45 phone that you think is great value, then you need to do a little bit of homework. It's almost like personal due diligence where you go. So you need to learn with Android how you go into the settings page and how you find out what the Android version is and all the relevant serial number details and the vendor and even perhaps the carrier, the mobile phone company that's locked it to them perhaps if that's legal in your country. And then go online and have a look and see whether that device is ever going to get any more security updates. Because if it isn't, you're going to be one of those guys who's at risk of security problems that, to the rest of us, are kind of considered written off and no longer existent. And if you think updating your phone is tricky and bad and getting the vendor to push updates out to you, that's bad. What about all these other Internet of Things devices? One of the things which has come out of this release from WikiLeaks is an alleged attack against smart televisions. There have been a lot of headlines about this so-called Weeping Angel attack. Clearly, they were Doctor Who fans, where allegedly law enforcement agents were able to compromise Samsung smart TVs. And then even when the TVs appeared to be off, they would be secretly recording conversations.

Yeah. Here's hoping for responsible disclosure. Perhaps a bit too late.

Anyway, so Duck, what's been catching your imagination this week?

Well, I took a look. This is not a particularly new family of malware, but it's a sort of interesting, if you like, almost a kind of community ransomware project known as Satan. Now as you and I know well from the old days of antivirus some occultic themes have always been rather popular with virus writers. We've had Dark Avenger, Necropolis, My Doom and Natas if you remember which is Satan backwards. Satan Bug that's written by the same guy so obviously that's kind of what attracts everyone's attention because there's all this doom laden imagery.

Basically, they're 14-year-old boys is what you're telling me. Or they're Iron Maiden fans. It seems that in this case there may be a little bit more to it than that. Because what you actually do is you find out the .onion address and you go to this portal, if you like, via Tor on the dark web. And then you sign up and you create an account. Obviously, it's anonymous.

I'm guessing there's a fee for this. Yeah, 30%. Oh, yes, of course. Yeah, yeah, that you make. When I looked at that, I thought, I wonder where they got 30% from. It couldn't be that they thought, hey, it worked for iTunes. It'll work for us, could it? And I guess that's exactly what they are doing. They said there's no upfront fee. You just pay as you go. We take 30% just for doing the collection. And you get to decide. And the minimum payment is 0.1 bitcoins per go, which is at the current rate about 125 US.

Yes, it sounds like you don't really have to be that technical at all to jump on the ransomware.

Well, you've got to get on, you have to get onto Tor and get to the actual location. All right. That's not... But

Then you need to know how to pay people in Bitcoins if you're going to be a victim, don't you? I mean, it's just following a process. It's just, okay, here's the Word document. It's going to tell me how to set up Tor and how to find this place. But ultimately, the Satan service is basically white labelling some ransomware for you, isn't it? And then all you've got to do is, what, spam it out to people or plant it somewhere?

And what's really galling is there's even this kind of community part of the website where if they don't support your language for the pay page, you can go in and provide a translation and they'll verify it and then they'll make it available to everybody else. So it's like a page where you put in your localization strings for all the text. Sentences like your personal files have been encrypted and don't think of trying to do this yourself and you've got five days and all that stuff.

I wonder if people are attracted to it because it distances themselves from the actual ransomware. So say, for example, it's an insider job, for instance, right? And you wanted to get back at your employer for whatever reason you're disgruntled. I wonder if this is attractive from that point of view, that your involvement is pretty well hidden.

I don't, to be honest, I don't think we've seen that many samples of this going around. So I don't think it, fortunately, it hasn't taken off as a giant

Business thing. But now we've mentioned it on Smashing Security. Everyone will be looking for it, right? Yes, thanks, Doc. Thank you.

Well, you know, as you know, on Naked Security, we like to end our articles with a section that says what to do. And in this one, I put this, the answer to that bit's really simple. Don't, you know, don't get involved in this. And if you do and you get caught, then please don't expect any sympathy. The courts are not going to look kindly on you and they're not going to say, oh, well, someone else did the dirty work and I only clicked a few buttons. It's not like that. You know, you're demanding money with menaces and that's a pretty serious crime in any country.

Don't do it, folks. Don't do it, folks.

No, do something more worthwhile with your time instead, like playing the Nintendo Classic Mini. And you know what? If you

Do it and you get caught, don't ask for bail. Start doing your time because you are going to get a custodial sentence. You may as well start eating into the time you're going to have to serve while you're remanded in custody. That's my opinion anyway.

Okay, well thank you very much Duck. Carole, what have you got for us?

Well I have a question to start. How would you guys feel about border control inspectors looking at the contents of your devices? So imagine them snooping through your apps, your accounts, social media feeds, calendars, emails, etc.

Well, I don't really like them looking through my underpants and socks, to be honest. I'd be pretty uncomfortable with them rifling through my laptop and my phone as well. No, I wouldn't like it at all. I mean, in

The UK, it's been the law for, what, is it nearly a decade now that they have the right to do it? In the same way, open your suitcase, they can look through your underpants and they can say, we want to have a look through your laptop. And therefore make sure that if that bothers you, then you need to learn how to do backups properly so that you don't have to carry everything with you, which seems a good idea anyway. Well, yes, and I think it's interesting, Paul, you say that because since the new US president's executive order on immigration and terrorism, privacy groups like the EFF have voiced concerns about an increase in the number of invasive digital practices. This is what they're calling these searches during border inspections. So in other words, more travelers are being asked to surrender their devices and passcodes.

I would find, well, carrying no device at all, I'd find that quite difficult because, I mean, I'm actually going on a trip next weekend overseas and I'd feel lost without my smartphone or something with me or an ability to call a cab. I mean, not many people these days must be travelling with no devices. I think it would actually be a red flag, right? I mean, I think ultimately no one wants to get on that persons of interest list, right? Oh yes, because that's not going to look suspicious, is it? If you have a completely blank smartphone. Yeah, exactly. It's a suspicion of it. And I think the whole thing here is about, basically what you're doing is trying to deny Customs and Border Control officers access to your data, right? Yeah it's not— I've always been fascinated by if you like what jurisdiction you're in when you're airside in an airport. I once had a trip I had to fly from Iceland to Seattle to go into— it was a device driver fest at Microsoft and you think well that's great, I'm coming from the UK, I'm going to Iceland and I'm going on to Seattle. Iceland's kind of halfway-ish but it turned out that the easiest way to fly from Iceland to Seattle is via Heathrow believe it or not. We've come up with a few pieces of advice on this to help. You know, I mean, the thing to understand is that these border searches are backed by immigration and terrorism legislation. So that's the reason they're doing this. Yeah. I mean, I'd like to think that, I hope it never happens, but it would be nice that if I did have my device searched at customs, or technically maybe it's not customs, at the border anyway, I'd hope that I'd get the seal of approval from the guys saying, yes, it's obvious that you're not trying to hide everything.

feathers, isn't it?

Yeah. You want a ripple. Yeah. I didn't think that through, did I? You know, the people, the victims of what they feel is unwarranted digital invasion when they've crossed borders. And there are many stories out there on the web. You know, it's not very fun for them to do. Yeah, and there's also that problem that if you do try too hard to stick up for your rights and you say, well, I'm not going to let you do it, then they can just shrug and go, okay, then you can't come in. And they're perfectly entitled to do that. So I heard one other interesting idea of how to deal with this. So if you are on a list, if you are someone who you think, you know, you'd be concerned if you were stopped. Obviously, we recommend on this podcast that people encrypt their hard drives and encrypt any sensitive information. You know, it just makes general good sense. It was TrueCrypt which did that, was it? Plausible deniability as they call it. The idea is that you know you refuse and you refuse and refuse and they beat you a little bit and you crack and you give them a bit of the password. You give them a bit more and then they go yes we've got it and then they go in and there's this fake persona.

Yeah, that's right. I mean, think about it. Say you've got a—

Mac and you've split it so you've got Windows and Mac. And then, you know, after a while, possibly several minutes, you'll realize that there's not much point in booting Windows and you'll just stick in MacOS all the time, right? And so you'll boot Windows once a month, once every two months when you need to. You're always going to be – and you know what a pain that is because you're always so far out of date and then you have to sit for four and a half hours while the partition you use less frequently. Or if you have virtual machines and you only boot them once a month, you know what a pain it is. You boot them up, you think, oh, now I have to go through all the updates. I'd really better do it that would have happened throughout the month. It's really hard to keep two lives intact.

Duck, maybe border security will be so bored after waiting six hours for all the Microsoft Windows updates to install that they're just, just wave him through. We can't deal with this any longer.

Well, of course, once they can make an image of your files after you've decrypted them, I suppose they don't – if they think you're not going to vanish off the face of the earth, they could always just take an image and then let you go and then deal with the issue later.

They can copy your whole hard drive, right, and say, off you go. We know where you're staying. So I guess what's changed the game a lot, and I can understand this, is the fact that, you know, at least the premium versions of Windows and all Linuxes and all Mac OSs have, well, a Mac OS at your file vault, for example, or BitLocker on Windows. They have this strong full disk encryption.

Well, it's an interesting topic, isn't it? Is there anywhere where people can go to read more about this?

Maybe that's the way to do it.

Thank you. Get some advice? Yeah, I'd recommend actually reading this great article by The Grug. He's a security and counterintelligence expert, and he deals with the consequences pretty honestly, I felt. So there's a note in the show links for anyone who wants to read more.

That a pun? Unwarranted. Because that's part of the legalese, isn't it? That actually when you're in that, what you might call the no man's land, then the usual stuff about warrants and first, second, third, fourth, fifth amendments don't really apply. You're in a zone with sort of its own laws, its own different regulations.

Yeah, I think Edward Snowden was lost in one, wasn't he, for a while? I think at Moscow Airport. And then, of course, Thom Hanks famously got stuck there. It wasn't Snowden actually,

He was in transit, but it was actually in some, like the nth floor of the hotel outside the airport. And then he couldn't leave the hotel or something. It does get, and of course we've got Mr. Assange in the Ecuadorian flat in Kensington. And he's not in the UK, but he's certainly in the British Isles. So it gets a bit legally

Crazy in places like that, doesn't it? It does. Well, look, I think our time is up. Thank you very much, Paul, for joining us today. It's fantastic, as always, to have you on the podcast. Thank you for all as well. Don't forget, folks, we're on iTunes and Google Play Music and Stitcher and Overcast and all kinds of other podcast apps as well. Even if you have one of those ghastly Amazon Echoes, you can get us.

Don't you have something to share with us before we go?

Something to share with you?

Yes. Think, think, think. Oh,

Yes, you're right. Absolutely. We have to say thank you to FourSys, who are supporting the show this week, and they've got a fantastic offer for Smashing Security listeners. If you go to foursys.co.uk slash toolkit, you can download their pack, which gives you everything you need to raise awareness about computer security issues inside your organisation and train your staff. Do you remember the URL, Carole? Yes, foursys.co.uk slash toolkit. How do you spell foursys? F-O-U-R-S-Y-S. Very good.

Bye. I should charge for the jingle.