Smashing Security podcast #012: Eau de Eugene Kaspersky

And the last one, which is questionable for a name for a perfume, they've called it Fish. With a PH, presumably. Yes, with a PH. Catch your deepest love. Who's going to wear Fish?

Hello, hello, and welcome to episode 12 of Smashing Security. As usual, I'm joined by my buddy, Carole Theriault. Hello, Carole, how are you doing?

I'm very well, thank you. How are you?

I'm gorgeous. And where are you? Oh, well, I'm somewhere a little bit unusual. Maybe it sounds a little bit different as well. I am in a country I've never been to before, the country of Kuwait, can you believe, where I've just given a talk about attacks on industrial control systems.

Well, I know that you're very much an expert on that.

Oi, careful. They won't hire me again. I'll tell you what's interesting, though, is I've arrived in Kuwait during a sandstorm. It's my very first sandstorm. And it's such a bizarre experience looking up in the sky and it's yellow rather than blue.

And we're having an Assange storm as well.

Oh, is that a pun you've just tried?

It's a good one, right? It's morning here, so I'm full of pep.

It's morning where you are, but it's late night where our special guest is. We are joined all the way from Christchurch, New Zealand, by Nick Fitzgerald, computer security expert. Hello, Nick.

Hi, guys.

Oh, Nick. How are you?

Oh, Carole. I'm good. It's a great pleasure to hear your voice again. And Graham's too, I guess.

I'm going to like this podcast.

Now, Nick is a veteran of the computer security industry and has held jobs at computer security firms and used to be editor of Virus Bulletin magazine back in the day. I think that's where I probably first met you, Nick.

Yeah, that's where I met you. Actually, the very first interaction you had with me, you sent me a pair of socks.

Wow, Graham. Rolling up the red carpet. Was that in my Dr. Solomon's days?

Yeah. And that was when I was still in Christchurch. I should explain. So Alan Solomon, who ran Dr. Solomon's, the marketing team got together with him and said, we need some giveaways. We need some T-shirts. And Alan said, why don't we give away socks instead? Because his view was that people wouldn't wear T-shirts to the office, but everyone needs a nice pair of socks.

Hey, Graham. Hey. This is supposed to be about Nick, this bit. Just FYI. All right. So Nick. Sorry. Sometimes we just have to.

That's okay. No, that's okay.

So, Nick, well, thank you very much for joining us on the show. Can you tell us if you've heard it before?

Oh, yeah. I've listened to several of the podcasts and the videos before them. Glutton for punishment.

You know how this works, guys. We are all choosing a story for the week, something which has caught our attention, happening in the computer security news, and we will give us our views on it. So the thing which caught my attention was some interesting blog post posted by the guys at Checkpoint who discovered that two companies, two separate companies, a large telecoms company and a multinational technology company, they weren't any more specific than that, they discovered that those companies had in their possession 36 infected malware infected Android devices. Now you're probably thinking big deal, you know, Android phones do get infected with malware, certainly much more than iOS devices. But what's unusual about these particular cases was the malware wasn't downloaded onto those devices as a result of the users doing something. No, the malware arrived on those Android devices when those devices actually arrived at the company so they were pre-installed with the malware.

Sorry, by whom? Sorry, yeah, keep going. I was getting excited in the story here.

Okay, steady on. Well, exactly. Well so who did it? Now what we have seen in the past sometimes is there have been Android phone vendors who've actually sold malware infected phones. I remember there was a Chinese, as if there's anything which isn't a Chinese Android developer. But anyway, there was a Chinese smartphone for sale up on Amazon. I'll put a link in the show notes, which came pre-installed with malware. But in these particular cases, it looks like the ROMs themselves, the official ROM supplied by the vendor, that wasn't infected. No, someone, somewhere along the supply chain, added the malware. In some cases, they added it to the devices using system privileges, meaning that it's really hard for a user to actually remove it. And so you'd have to reflash the device. Shut the front door, this happened. That Canadian expression.

So, Graham, I'll introduce you to Urban Dictionary. Thank you. So you're saying to me that someone along the supply chain infected these phones before they were delivered to a company?

Yes. And the company basically takes them out of the box, hands them over to the users. Yep.

Pretty spooky, isn't it? And this sort of thing has happened before. So, for instance, it's happened with networking gear. One of the revelations by the Snowden leaks a few years ago was that things like Cisco and Juniper gear were being tampered with en route to companies and malware was being installed in these devices. You've got to be really careful about what comes through your front door because it might have been tampered with at the vendor. It might have been tampered with en route to you as well.

So they were buying these devices new. It's not that they were in the presumably considerably more risky secondhand market. Oh, yeah, Nick. They weren't getting them off eBay. These are big companies, right? I don't know what you do. These are big companies, right? So yes, they're buying these devices brand new. And Checkpoint discovered they're hit by malware, and it wasn't something which the users put on.

It's more than one. It wasn't just sent to one particular company.

Right, so it appears to be a large telecoms company and a multinational technology company. That's all that Checkpoint has said.

And to your point, Graham, that we've seen this before with other Android devices and networking gear, as you referred to the Snowden revelations, I seem to remember Ross Anderson talking about some ATM machines being intercepted en route from the manufacturer to the final installation in the bank and basically Trojanized hardware. I can't remember the details. I think in this case they added a card into the machine that intercepted some of the network traffic. Wow. I mean, astonishing, isn't it? Because you just, I mean, it's all very well thinking about consumer items and how they may have been meddled with, but something as big as an ATM machine. I mean, it's audacious on the part of the computer criminals, isn't it, that they would tamper with something like that before it gets delivered.

It's got a different risk-reward element to it. I think what's attractive about it is the big payoff if they manage to do it. Obviously, there's huge risk involved as well. You know, getting caught ain't going to be fun.

So in this particular case, Checkpoint have said, well, we're not sure whether these companies were being targeted, because they looked at some of the different types of malware, and there was also adware and some information stealing Trojans on here as well. One of the pieces of malware was a piece of ransomware. And you do have to think, well, hang on a moment. If you were targeting specific companies, would you really put ransomware on? I'm not sure necessarily you would because it would be too obvious. If you would go into all of that effort with the supply chain to target a particular multinational telecoms company, for instance, wouldn't it be something more surreptitious which could steal information or open a back door potentially? So it may be, and this is all conjecture, of course, we don't know exactly what's happened here. It may simply have been opportunistic rather than particularly targeting these companies.

I have a question. Do you happen to know how they found out that they were being spied upon or that the ROMs had been replaced?

I don't. I imagine that Checkpoint Solutions picked up something awry on the devices and then further investigation brought this to light. But what we'll do is we'll put in the show links, we'll put a link to the report from Checkpoint so people can find out more there.

Perfect.

Okay, well, I think it's time to thank our sponsor. And you know what that means, Carole?

No. It means we have to play a little sponsor jingle. Wave your wand right now. Oh, that sounds kind of cool. And can you learn about this stuff?

Oh, yeah, yeah, yeah, yeah. So what you can do is you can either subscribe to their service as a company if you want to keep on top of what the latest threats are. Or you can sign up for their free Cyber Daily newsletter and get the latest insights delivered into your email inbox. And to do that, all you have to do is go to recordedfuture.com slash intel. That's recordedfuture.com slash intel.

Perfect. I'm going to sign up today.

Yeah. And thanks to Recorded Future for supporting the show. We really appreciate it. So, Nick.

Graham.

Back to you. Yeah, what's caught your eye this week?

It's sort of inevitable, given the line of work I'm in, that there's been a lot of interest in the WikiLeaks release, which I know you guys talked about last week. But a development, I think, since you went to air last week was that looking through the actual release, it's obvious that there's an enormous amount of material that WikiLeaks presumably has but hadn't released. And it's been clarified, I think, since the initial release of the Vault 7 hacking tools that a lot of the actual tools and the source code associated with them and whatever other resource material that WikiLeaks clearly has, WikiLeaks has announced that they're not actually going to release that until they've been able to coordinate with the affected vendors and the vendors have been able to reassure WikiLeaks that either they've already patched the vulnerabilities or that they have actually rolled out new patches. To remind everybody, what WikiLeaks did was they got hold of some CIA documents, thousands of CIA documents, some of which contain details of what are known as zero-day vulnerabilities. These are vulnerabilities which haven't been patched by vendors, so there's no fix for them, which they claimed the CIA were exploiting in order to spy on people and steal information and so forth. WikiLeaks, Julian Assange himself said that they're going to contact the vendors and let them know what they've got and give them access to the material pertinent to their products. And once the vendor, you know, they go through the, well, this is a little speculative, but presumably WikiLeaks will go through the normal vulnerability reporting and coordination process that any security researcher who might have found the same vulnerability would go through if they were doing a responsible disclosure type process.

There's a lot of ways this can go down though. We've all been involved in situations where we've worked at firms where they've had a vulnerability and we were in that kind of eye of the storm of trying to deal with it. And in some cases, you will get people giving you a set amount of time to fix a vulnerability. And sometimes that's very complicated, very difficult to do within that specific timeframe because of the complexity of the problem that's been discovered. And other times it can go as long as is required, right? It can go for a few months, but there's pressure on both sides. Obviously, WikiLeaks wants to put all this information out as quickly as possible while everyone's interested. And on the other hand they want to do it responsibly. So it's a tough one for everyone really.

Yeah, well, Assange said that he would give the affected firms adequate time.

Yeah, but exactly. That's exactly. If I was the company receiving that, right, I'd be like, oh, God.

Yeah. What does that mean? What is Assange's definition of adequate compared to other people? I mean, it could be 72 hours. It could be. Yeah, I'm afraid he has rather blotted his copybook in the past a little, hasn't he? He has lost a little bit of love.

Well, this is his opportunity, I guess. This is his opportunity to show that he understands the value of responsible disclosure. And I think it would be great for all of us in the security industry to see that.

So let's hope he does it promptly. Let's hope he does it appropriately. Let's hope that there are no more disclosures of anything which could potentially put people in harm's way before these patches are out there and have been issued and there's been good time for people to update. Assuming all that, I think we could give Assange a high five if we could reach him on his Ecuadorian embassy balcony.

Well, maybe a high two, a high two.

A high two, I think. This is pun-tastic. Oh, yeah. I'm sorry about that. But, you know, there is a lot of pressure on companies, isn't there, to respond. Because, of course, we've had the headlines of, you know, maybe Microsoft, Google, vulnerable and so forth. And if they haven't been given the details properly yet by WikiLeaks, it's hard for them to reassure their customers if they're, you know, whether there's a real problem or not. The material that's already been released is very, there's extremely little information. But from talking to some friends and colleagues, it would appear that at least some of the vulnerabilities, based on the very limited information, and we know that some of this material does date back at least to 2014, if not earlier.

Only if the rest of the 99% is actually of any interest, right? It could just be a lot of fat as well.

Everyone's at least a little bit interested in this because we've had Kellyanne Conway talking about how TVs can be turned into spying devices, suggesting that maybe something like that was used against the now President of the United States. Or the microwave. If he was heating up some Pop-Tarts or something like that, it could have been that way as well.

make Pop-Tarts in microwaves? I've always done them in a toaster. Oh, they're great. I love Pop-Tarts.

You know you can get internet-connected toasters now, don't you, Carole?

I'm not interested in any internet. Not interested. Not interested. I believe the first internet-of-things device was actually someone connecting a toaster to the network at some university in the US. And everyone knew about the Coke machine that if you pinged its IP address it would dispense a bottle of Coke.

that. But in fact, okay, but listen, you've just joked about Kellyanne Conway and to be fair to her... I take her very seriously, to be honest. But to be fair to her for a second, right, she's not a computer security expert. She has got her information from the newspaper headlines and maybe from WikiLeaks press release. And that's one of the problems. If WikiLeaks keep on trickling out information about these vulnerabilities, they need to do it in a responsible way. Because when they did talk about the TV, for instance, being hackable, they didn't make clear that it could only be done via a USB stick. It couldn't be done remotely. And some of the other vulnerabilities which they spoke about, such as, for instance, breaking WhatsApp encryption and signal encryption, were a load of old nonsense. Because, in fact, what they were talking about was hacking the phone individually. And then, of course, all bets are off. So I would urge everyone, as we see further revelations, to maybe take it with a little pinch of salt because, dare I say it, you could be being fed fake news. Oh, more dreaded alternative facts. But there's other stuff coming out of WikiLeaks right now. Now, I hear that Julian Assange might be releasing soon some information of CIA and NSA intercepts of Angela Merkel, the German chancellor. Which could be embarrassing for her.

There were just reports earlier today on that, eh? Yeah, because she's meant to be meeting up with the Donald. And that could cause some awkwardness, couldn't it? I wonder if they have dinner every night. Well, oh boy.

Okay. Carole, what have you got for us? Well, this isn't the biggest story of the week, but it was just, I thought it was so sweet and clever and quirky. I thought it deserved a mention. The Russian antivirus IT security company.

This firm has launched, get this, Threat de toilette Pour femme And pour homme Okay Now how can you not love that This

isn't about Threat de toilette This isn't about the old Internet connected lavatories Is it being hacked I remember that happening A few years ago Your French is appalling. It's a parfum, a parfum. So they do a little perfume. David M, spokesperson of Kaspersky, is on record saying, "Fear awakens our senses." Okay, so cheesy, but I love it. I love it. Sorry, what are they doing? Sorry, make it clear to me. What are they doing? So they've hired UK beauty blogger Scarlett London. Now she has a respectful following of about 10,000. I bet that's her real name. And they hired her to basically come out and help launch this new range of perfumes. Yes, with a PH. Catch your deepest love. Who's going to wear Fish? Now, I haven't seen anyone. I sadly did not receive one of these little press packets. But they've tied with each of those explanations of what ransomware, malware, social engineering, phishing is. And they've given some top tips on how to stay safe online. How dare you? I'm sorry. So this is just to raise awareness of things?

Exactly.

This kind of ties into Graham's socks at the beginning. It does. Yes. It's this sort of thinking outside of the square marketing thing. Yeah. I just, I think I'm maybe a little bit too far outside the square.

You know what? Think about it this way. They are able to reach a whole audience that are online all the time, buying online, you know, and beauty blogs and whatever. If this takes off, they'll be able to get a whole industry of people, people that are not interested normally in this, to share this information and maybe, you know, be more educated about how to be safe online. I think there's something quite cute there.

I mean, okay, okay. I'm trying to take this seriously, right? It's fun. I suppose there is a certain truth in the fact that when we talk about computer security, we're often talking to the same people who already have an interest in this. And possibly the demographic of people who are following Scarlett London on Instagram is different from the typical IT engineer. And people who are interested in parfum, is that how you say it, Carole?

Exactly that.

If I want to have the essence of Eugene about me, you know what, it's—

Funny you've said that, listen, listen. So there was a rumor going around that there was a little bit of Eugene's DNA in every sample sent out. What? Yes. Though they think this was caused by a misreading of the ingredients which included eugenol, a common phenylpropylene included in perfumes.

Well thank, let's hope it is eugenol because I'd hate to think of where they've extracted Eugene Kaspersky's DNA from to put in each bottle. Oh, dear. He's not, I mean, in my experience, he's not a smelly chap. He's a nice smelling, I think. I'm trying to remember, actually. He hasn't stuck out to me particularly in either a positive or a negative way. I'm sort of neutral on Eugene's smell. What a bizarre thing for them to do, though. I mean, okay, but seriously, yes, maybe this is a way of reaching a different audience. Obviously, the PR people had great fun at the restaurant. And hey, we're talking about it, aren't we? And we mentioned Kaspersky's name a few times.

It looks like most of the journos that attended wrote about it. And I think that means it's successful. The only thing that's a bit, you know, there's an angle for me is I'm surprised no one has spotted the potential of this being a global education campaign. We could have hired bloggers in the States and a few other countries and done this as a kind of international launch. I think they would have received a much bigger return on investment.

You know what? If this goes big, if this is successful in the UK, maybe they'll spend a bit more cash and get someone like Kim Kardashian to do it. Yes. They might do. They might go all out on this if this really does work for them.

Well, they have hired big actors before. Didn't they hire, who was it? They hired some kind of—

Jackie Chan.

Jackie, was it Jackie Chan?

Yes, there's a Eugene and Jackie Chan video.

Yes. There's also Packing the K, which is where they had some kind of rapper style. I think we should actually play that out tonight as our leading song, don't you think? We'll have to play that out, Packing the K. We're going to play that out. Listen to the end everyone.

Carole, they're not sponsors, you know.

I don't care, I don't care. It's such a great song, the Packing the K song. You know, I'm going to celebrate the fact that they've done it. You know, they're doing something a little bit creative. You know, they take a punt and I like that.

Oh well, it's certainly unusual. Well I think that probably just about wraps it up doesn't it. Thank you Carole. Well, thank you as well Nick for joining us all the way from New Zealand on the podcast today. We really appreciate you being here and I hope you won't be a stranger.

My pleasure.

And the rest of you, if you enjoyed the show, please subscribe to us on iTunes, leave a review. You can also listen to us on Google Play Music and Stitcher and TuneIn and Overcast and other podcast apps as well. And new, I can reveal, we are now on iHeartRadio, which is available in some parts of the world at least. So tune in to us there.

And big thank you to Recorded Future, who helped support the show. Remember, you can sign up to their Cyber Daily newsletter at recordedfuture.com slash intel. That's recordedfuture.com slash intel.

If you like the show, tell your friends, follow us on Twitter. We are at Smashing, without a G, security. That's Smashing security. And until next time, toodaloo, bye.

Good evening. K is the key. Pack in the K.

Pack in the K. Oh, pack in the K.

Out of cybercrime. When I'm packing the K, I feel secure that adware and malware get slammed at the door. When I'm packing the K, the computer stalker, he flushes them out with behavior blockers. Yeah, when I'm packing the K, there's no escape. He blocks pop-ups and bandits like a guy with a cape. Yeah.