Julian Assange’s WikiLeaks didn’t earn itself much love from the infosec community when it (incorrectly) claimed in its Vault 7 press release that encrypted chat apps like Signal and WhatsApp had been cracked by the CIA (they haven’t), and some in the media made the mistake of getting very excited with the concept that your Samsung TV might have been remotely hacked to spy on your conversations (it hasn’t).
The reality is that the vast majority of us should be worrying much more about being phished by the next email we receive than by WikiLeaks’s revelations of alleged zero-day vulnerabilities held only by the CIA.
Nonetheless, if there are unpatched vulnerabilities in Android, iOS, Windows etc that law enforcement agencies are aware of (and potentially using) but have not informed the software manufacturer about then that’s a big problem.
Because if an intelligence agency has worked out a way of hacking a smartphone remotely, for instance, then there’s a chance that others have worked it out too. Including criminal gangs or rogue nation states.
The best course of action for millions of innocent technology users around the world is for vulnerabilities to be responsibly reported and patched quickly by vendors.
Put simply: If, say, the CIA doesn’t share details with a technology firm about the exploitable flaws it has discovered there is a chance that the very people the CIA is trying to protect could themselves be hacked.
So, I was pleased to hear Assange say at an online press conference that WikiLeaks had decided to share details of the vulnerabilities with the relevant vendors so fixes could be rolled out:
“We have decided to work with them, to give them some exclusive access to the additional technical details we have so that fixes can be developed and pushed out so that people can be secured. And then, once this material is effectively disarmed by us, by removing critical components, we will publish additional details about what has been occurring.”
What a shame that Assange did not co-ordinate with vendors *before* releasing the “Vault 7” data dump. What a positive story that could have been.
As Forbes reports, WikiLeaks doesn’t yet seem to have shared any details with Google and Microsoft at least.
Let’s hope that this information-sharing is happening as we speak, so any remaining vulnerabilities are not left unpatched for any day longer than necessary. Any delay in sharing the details would reflect very poorly on Assange and his WikiLeaks organisation.
You can hear some of my personal views about WikiLeaks’s release of the “Vault 7” CIA data dump in this episode of the “Smashing Security” podcast where I was joined by Carole Theriault and special guest Paul Ducklin (better known as “Duck”).
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hey Graham.
Hey Carole.
Tell me, what is the biggest cybersecurity headache for sysadmins?
Oh, that's easy. It's the users, isn't it? They're the pain.
Exactly. And imagine if you could have a kit that had everything you needed to roll out cybersecurity training to all your users.
That would be fantastic, but I imagine it would cost an awful lot of money.
No, it's completely free. Our friends at Forsys have created this amazing kit and you can download it for free from their website, forsys.co.uk/toolkit. That's Forsys, F-O-U-R-S-Y-S.
You're telling me that if you just go to forsys.co.uk/toolkit, you can download this fabulous piece of training material and get your staff up to speed when it comes to computer security?
Bingo!
Sounds fabulous. Well, thank you to Forsys for that, and thank you to Forsys as well, because I heard they're actually sponsoring our show this week.
Don't sound surprised, it's a good show.
Smashing Security, Episode 11: WikiLeaks and the CIA, with Carole Theriault and Graham Cluley. Hello everybody, and welcome to another episode of Smashing Security.
Smashing Security, Episode 11, for Thursday, the 9th of March, 2017. And I'm joined as always by my buddy Carole. Hello, Carole.
Smashing Security, Episode 11, for Thursday, the 9th of March, 2017. And I'm joined as always by my buddy Carole. Hello, Carole.
Hello.
And we've got a special guest with us today, haven't we?
Very special.
Who's trying not to snigger in the background.
And if you can't tell already, it is a luminary from the computer security industry, Mr. Paul Ducklin. Hello, Duck.
Hello, chaps. Thanks for having me.
And Duck, for those people who don't know you, introduce yourself, explain who you are and why you're here and that sort of thing. Why are you here?
No pressure.
Well, my name is Paul Ducklin.
I work for Sophos where I have worked for many years, and most of what I do these days is to write security explanations—issues such as cryptography, malware, and so forth—for our Naked Security website, what I like to talk about as SESSI-COWIE, which is Security Explained So You Can Actually Understand It.
And is this acronym SESSI-COWIE, is that taking off in a big way at the moment?
It's done about as well, unfortunately, as Vorriwoggom, which I know is one of yours, which I still like and I still use and I used it today and I think it's kind of an important thing for security companies to get their heads around.
I work for Sophos where I have worked for many years, and most of what I do these days is to write security explanations—issues such as cryptography, malware, and so forth—for our Naked Security website, what I like to talk about as SESSI-COWIE, which is Security Explained So You Can Actually Understand It.
And is this acronym SESSI-COWIE, is that taking off in a big way at the moment?
It's done about as well, unfortunately, as Vorriwoggom, which I know is one of yours, which I still like and I still use and I used it today and I think it's kind of an important thing for security companies to get their heads around.
Voice of reason in a world gone mad.
Yes, it's a bit less of the speculation and a bit more of the usable facts that help us all lift our game a bit.
So, Carole, what have you been up to since we last recorded?
Well, I've actually been playing with the Nintendo Classic Mini. So I got one for my husband because he did me a solid.
So I bought him a treat, which is Nintendo Entertainment System. Do you remember this? It's the old one from 1986, but it's been miniaturised to this palm-sized console.
So I bought him a treat, which is Nintendo Entertainment System. Do you remember this? It's the old one from 1986, but it's been miniaturised to this palm-sized console.
This is a video game console? Yes.
Right. From '86. So it's all the original games. You know, you've got your Donkey Kongs and your Pac-Man. So— But it's not a Game Boy, right?
No, no, no.
It's a proper console with a little handset.
Hang on, a Game Boy is a proper console.
It is, but it doesn't connect to your TV. It has its own screen, doesn't it?
I think in the modern era, that could be considered something of an advantage.
1986. Come on. Anyway, it was really fun. And I've had a really good time playing with that last night.
So you're having a really pixely time at the moment. It sounds good, it sounds good fun.
And, you know, I think it's quite good to experience those kind of games in the old-fashioned way before you go and swap over to the Nintendo Switch and the latest Legend of Zelda and all the super duper graphics you get today.
So it sounds a lot of fun. What isn't so much fun, of course, is some of the stuff which happens in security sometimes. Sometimes it's not as smashing as we might like.
And the hot topic as we're recording this is the fact that WikiLeaks, God bless me, they've published thousands of pages of what appear to be leaked internal CIA documents.
Yep, Julian Assange has released what he calls Vault 7. He's, I don't know if there's a Vault 1, 2, 3, 4, 5, 6, where do they come up with these crazy names from, I don't know.
But he says it's the largest ever publication of confidential documents on the CIA.
Much of it is focused on how the CIA could attack and spy on devices, particularly smartphones, and in particular iPhones, which are generally thought to be more secure than Android.
Have you guys seen any of the headlines around this stuff?
And, you know, I think it's quite good to experience those kind of games in the old-fashioned way before you go and swap over to the Nintendo Switch and the latest Legend of Zelda and all the super duper graphics you get today.
So it sounds a lot of fun. What isn't so much fun, of course, is some of the stuff which happens in security sometimes. Sometimes it's not as smashing as we might like.
And the hot topic as we're recording this is the fact that WikiLeaks, God bless me, they've published thousands of pages of what appear to be leaked internal CIA documents.
Yep, Julian Assange has released what he calls Vault 7. He's, I don't know if there's a Vault 1, 2, 3, 4, 5, 6, where do they come up with these crazy names from, I don't know.
But he says it's the largest ever publication of confidential documents on the CIA.
Much of it is focused on how the CIA could attack and spy on devices, particularly smartphones, and in particular iPhones, which are generally thought to be more secure than Android.
Have you guys seen any of the headlines around this stuff?
Yeah, and it's likely to really ruffle some feathers, isn't it?
Some of the reporting I think has probably been quite sloppy actually.
So we saw, for instance, WikiLeaks claim that the CIA can use zero-day vulnerabilities to bypass the encryption of popular chat apps like WhatsApp, Signal, Telegram, and Confide, which is the one which is alleged that the Trump administration or some members of it might have been using to secretly communicate with each other.
But it's not really the case. It doesn't seem though that the CIA have really broken the encryption of these, which obviously would be huge news and alarming for many people.
Instead, it looks like what the CIA have been doing is they've been using zero-day vulnerabilities maybe to snoop on smartphones.
So to break smartphones and to commandeer smartphones. And of course, once they control a phone, then they can see anything which is going on it.
They can see the conversations, they can see what's happening through those sort of devices.
So we saw, for instance, WikiLeaks claim that the CIA can use zero-day vulnerabilities to bypass the encryption of popular chat apps like WhatsApp, Signal, Telegram, and Confide, which is the one which is alleged that the Trump administration or some members of it might have been using to secretly communicate with each other.
But it's not really the case. It doesn't seem though that the CIA have really broken the encryption of these, which obviously would be huge news and alarming for many people.
Instead, it looks like what the CIA have been doing is they've been using zero-day vulnerabilities maybe to snoop on smartphones.
So to break smartphones and to commandeer smartphones. And of course, once they control a phone, then they can see anything which is going on it.
They can see the conversations, they can see what's happening through those sort of devices.
You know what it's like when there's a big data leak like this, when there's 10,000 documents out, you know?
People are out there, they're reading the headlines, they're just reading the summaries and they're throwing out articles as fast as they can.
And I think in the coming days we're gonna find out, you know, what everything this stills down to, because there's going to be fake news.
People are out there, they're reading the headlines, they're just reading the summaries and they're throwing out articles as fast as they can.
And I think in the coming days we're gonna find out, you know, what everything this stills down to, because there's going to be fake news.
But don't you think in this time when we keep on seeing allegations of some of the media being, you know, fake news, dare I say it, that we do need the journalists to do a bit of a better job?
I mean, for instance, the New York Times, right? Which most of us, I know there are some notable exceptions, respect as an august media organisation.
They ended up deleting some of their tweets because they got so carried away with this news.
I guess there's always this push, isn't there, to be the first with the breaking news in order to get the clicks?
I mean, for instance, the New York Times, right? Which most of us, I know there are some notable exceptions, respect as an august media organisation.
They ended up deleting some of their tweets because they got so carried away with this news.
I guess there's always this push, isn't there, to be the first with the breaking news in order to get the clicks?
One of the problems I've got with a lot of the stories we've had, not necessarily this one, but in general, when you get a big leak or, you know, a big exposé of a large number of documents that have a whole history behind them, you know, you're thinking back to Ed Snowden and the Chelsea Manning stuff, is that it's almost as though you end up with headlines that tell the story as it was at some unknown time in the past.
And that's a big problem when you say, oh, we've got loads of zero days.
And for all we know, that might be, well, there was a zero day for a bit, and then that was patched 7 years ago, and this one worked for a few months, and then it was patched in April, and so on.
And that's the problem. Oh, there are loads of zero days.
Unfortunately, there are at least some zero days, maybe not as many as some people might want us to believe, that occur in products, that appear in products.
And those who don't patch, who don't use the latest versions, who don't adopt safe practices may get caught out long after the fact.
You know, the fact that ancient malware still gets a grip on some people's computers is evidence of that.
But this idea of, wow, giant zero-day storm, unfortunately there's an awful lot of work to do to put that into context and say when this thing was a zero-day and when it wasn't.
So you also get people going, oh well, there's all these zero-days. Like, have you got samples and do you detect them?
And so I'm thinking, well, if we did, by definition, they wouldn't really be zero days, would they?
So it's almost as though we get excited by the word zero day without considering that sometimes, fortunately, zero days are only there for a very short time, particularly if you're on the ball with patching.
And that's a big problem when you say, oh, we've got loads of zero days.
And for all we know, that might be, well, there was a zero day for a bit, and then that was patched 7 years ago, and this one worked for a few months, and then it was patched in April, and so on.
And that's the problem. Oh, there are loads of zero days.
Unfortunately, there are at least some zero days, maybe not as many as some people might want us to believe, that occur in products, that appear in products.
And those who don't patch, who don't use the latest versions, who don't adopt safe practices may get caught out long after the fact.
You know, the fact that ancient malware still gets a grip on some people's computers is evidence of that.
But this idea of, wow, giant zero-day storm, unfortunately there's an awful lot of work to do to put that into context and say when this thing was a zero-day and when it wasn't.
So you also get people going, oh well, there's all these zero-days. Like, have you got samples and do you detect them?
And so I'm thinking, well, if we did, by definition, they wouldn't really be zero days, would they?
So it's almost as though we get excited by the word zero day without considering that sometimes, fortunately, zero days are only there for a very short time, particularly if you're on the ball with patching.
And since this story first broke, we've seen Apple actually, they've come out and said, well, most of these things are already fixed.
And I believe they were also talking in some of the documents about alleged zero-day vulnerabilities in antivirus software.
And from the discussions I've had with some antivirus companies, it sounds like some of those certainly are old issues as well, which may have been resolved some time ago.
So people don't have to worry. Of course, people who might have to worry are those people who aren't updating, who aren't patching themselves.
And that makes me begin to think about what about all those Android users where if you've got a Google-branded device, there's a good chance that you're receiving security updates on it.
Well, I don't know about good, there's a chance. Well, okay, there's even less of a chance if you are using a device manufactured by some of the other vendors doing Android.
And I believe they were also talking in some of the documents about alleged zero-day vulnerabilities in antivirus software.
And from the discussions I've had with some antivirus companies, it sounds like some of those certainly are old issues as well, which may have been resolved some time ago.
So people don't have to worry. Of course, people who might have to worry are those people who aren't updating, who aren't patching themselves.
And that makes me begin to think about what about all those Android users where if you've got a Google-branded device, there's a good chance that you're receiving security updates on it.
Well, I don't know about good, there's a chance. Well, okay, there's even less of a chance if you are using a device manufactured by some of the other vendors doing Android.
There might be zero chance because I remember there were a couple of years ago going to look into this and thinking, well, I wonder what the— I forget what the context was, but it was, you know, what versions of Android are in the shops at the moment?
And I went on my way into work, I stopped at a popular mobile phone shop along the way, and I went in and I went straight to the budget table, you know, where you're going to pay $100 or less for your phone.
And I looked at these devices and some of them were quite neat, perfectly usable, and they were already using versions of Android that had not been— they were still using versions of Android that had not been supported for a year or so.
And this was two years ago, you know, when everyone was— you're supposed to be going towards version 5 and version 4.4.
Well, that's the LastPass, that's the oldest one you really want to consider.
You could buy an off-the-shelf device and it was, you know, it was well priced for that reason, I suppose. And it had, say, Android 4.2 on it.
And it was pretty clear that when you bought that device, not only was it already out of date, but you were never going to get updates. And that was sort of by design.
And it seems a bit of a pity that maybe it's not made a little bit clearer to the people who are buying them.
And I went on my way into work, I stopped at a popular mobile phone shop along the way, and I went in and I went straight to the budget table, you know, where you're going to pay $100 or less for your phone.
And I looked at these devices and some of them were quite neat, perfectly usable, and they were already using versions of Android that had not been— they were still using versions of Android that had not been supported for a year or so.
And this was two years ago, you know, when everyone was— you're supposed to be going towards version 5 and version 4.4.
Well, that's the LastPass, that's the oldest one you really want to consider.
You could buy an off-the-shelf device and it was, you know, it was well priced for that reason, I suppose. And it had, say, Android 4.2 on it.
And it was pretty clear that when you bought that device, not only was it already out of date, but you were never going to get updates. And that was sort of by design.
And it seems a bit of a pity that maybe it's not made a little bit clearer to the people who are buying them.
And every month that goes past, the situation's getting worse.
I mean, just this week we've seen Google, there's been another Android security bulletin, scores of vulnerabilities have been patched.
So, you know, the operating system has been patched. That's great that Google's done that and they fixed that.
But now we've got this challenge of how are we going to get those patches to those users?
And as you said, many of them simply there is no route whatsoever through which they're going to get it. And so they're going to remain vulnerable.
I mean, just this week we've seen Google, there's been another Android security bulletin, scores of vulnerabilities have been patched.
So, you know, the operating system has been patched. That's great that Google's done that and they fixed that.
But now we've got this challenge of how are we going to get those patches to those users?
And as you said, many of them simply there is no route whatsoever through which they're going to get it. And so they're going to remain vulnerable.
And if you're going to buy that $45 phone that you think is great value, then you need to do a little bit of homework.
It's almost like personal due diligence where you go, you— so you need to learn with Android how you go into the settings page and how you find out what the Android version is.
And you know, all the relevant serial number details and the vendor and even perhaps the carrier, you know, the mobile phone company that's locked it to them, perhaps if that's legal in your country.
And then go online and have a look and see whether that device is ever going to get any more security updates.
Because if it isn't, you're going to be one of those guys who's at risk of security problems that to the rest of us are kind of considered written off and no longer existent.
It's almost like personal due diligence where you go, you— so you need to learn with Android how you go into the settings page and how you find out what the Android version is.
And you know, all the relevant serial number details and the vendor and even perhaps the carrier, you know, the mobile phone company that's locked it to them, perhaps if that's legal in your country.
And then go online and have a look and see whether that device is ever going to get any more security updates.
Because if it isn't, you're going to be one of those guys who's at risk of security problems that to the rest of us are kind of considered written off and no longer existent.
And if you think updating your phone is tricky and bad and getting the vendor to push updates out to you, that's bad. What about all these other Internet of Things devices?
Oh, don't. Yeah, one of the things which has come out of this release from WikiLeaks is alleged attack against smart televisions.
There've been a lot of headlines about this so-called Weeping Angel attack.
Clearly they were Doctor Who fans, where allegedly law enforcement agents were able to compromise Samsung smart TVs.
And then even when the TVs appeared to be off, they would be secretly recording conversations.
Now, what most of these headlines haven't actually got across, however, is that that particular spyware could only be installed via USB.
In other words, the authorities needed physical access to your television, and many of the media have missed that point.
Yeah, if you read the documents, you can see clearly there, it's a USB-only thing. So in some ways, this is sort of same old, same old.
We, intelligence agencies have been using computers, using the internet to spy on each other for ages.
They've been perhaps hoarding zero-day vulnerabilities and not passing them on to vendors, which of course causes harm for all of us, particularly when those zero days then become public knowledge.
The interesting thing right now is WikiLeaks has actually sort of controlled itself a little.
It hasn't released everything which it knows just yet, which isn't always the way that they are. They're not terribly good at redacting themselves on occasion.
They actually aren't sharing details of all of the exploits right now.
Oh, don't. Yeah, one of the things which has come out of this release from WikiLeaks is alleged attack against smart televisions.
There've been a lot of headlines about this so-called Weeping Angel attack.
Clearly they were Doctor Who fans, where allegedly law enforcement agents were able to compromise Samsung smart TVs.
And then even when the TVs appeared to be off, they would be secretly recording conversations.
Now, what most of these headlines haven't actually got across, however, is that that particular spyware could only be installed via USB.
In other words, the authorities needed physical access to your television, and many of the media have missed that point.
Yeah, if you read the documents, you can see clearly there, it's a USB-only thing. So in some ways, this is sort of same old, same old.
We, intelligence agencies have been using computers, using the internet to spy on each other for ages.
They've been perhaps hoarding zero-day vulnerabilities and not passing them on to vendors, which of course causes harm for all of us, particularly when those zero days then become public knowledge.
The interesting thing right now is WikiLeaks has actually sort of controlled itself a little.
It hasn't released everything which it knows just yet, which isn't always the way that they are. They're not terribly good at redacting themselves on occasion.
They actually aren't sharing details of all of the exploits right now.
Just some?
Well, they're sort of skirting around the issue so that they're sharing some code, but they're not given all the juicy stuff.
Now, it may be that they will release that in the future.
My hope, and I don't know if it'll be a forlorn one, will be that they will actually share this information with the vendors because they're the people who actually have to protect against those things.
But yeah, that information has somehow been stolen from the CIA, and it does look as though this is from the CIA, and that means it could be in the hands of anybody, which means all of us potentially are at risk unless these bugs get fixed.
Now, it may be that they will release that in the future.
My hope, and I don't know if it'll be a forlorn one, will be that they will actually share this information with the vendors because they're the people who actually have to protect against those things.
But yeah, that information has somehow been stolen from the CIA, and it does look as though this is from the CIA, and that means it could be in the hands of anybody, which means all of us potentially are at risk unless these bugs get fixed.
Here's hoping for responsible disclosure. Perhaps a bit too late.
Anyway, so, Duck, what's been catching your imagination this week?
Well, I took a look.
It's not a— this is not a particularly new family of malware, but it's a sort of interesting, if you like, almost a kind of community ransomware project known as Satan.
Now, as you and I know well from our from the old days of antivirus, sort of occultic themes have always been rather popular with virus writers.
We've had Dark Avenger, Necropolis, My Doom, Anaitas, if you remember, which is Satan backwards, Satan Bug. Those are written by the same guy.
So obviously that's kind of what attracts everyone's attention because there's all this doom-laden imagery.
It's not a— this is not a particularly new family of malware, but it's a sort of interesting, if you like, almost a kind of community ransomware project known as Satan.
Now, as you and I know well from our from the old days of antivirus, sort of occultic themes have always been rather popular with virus writers.
We've had Dark Avenger, Necropolis, My Doom, Anaitas, if you remember, which is Satan backwards, Satan Bug. Those are written by the same guy.
So obviously that's kind of what attracts everyone's attention because there's all this doom-laden imagery.
Basically they're 14-year-old boys is what you're telling me. Or they're Iron Maiden fans.
It seems that in this case there may be a little bit more to it than that, because what you actually do is you go to— you find out the .onion address and you go to this portal, if you like, via Tor on the darkweb, and then you sign up and you create an account.
Obviously it's anonymous. And what you do is instead of just downloading the ransomware or the source code and going off and doing your thing, you kind of join a club.
And basically the backend to Satan generates you a unique copy of the malware, which is tailored to the ransom that you want to ask.
So you can say, well, I want to charge half a bitcoin and then I want to wait a week and then I want to ramp the price up to one bitcoin. And you can set those parameters.
So you get the malware tailored to you, you get some delivery tools, script tools that it generates for you that you can copy and paste.
Then the crooks actually deal with collecting the bitcoins. And of course, you have complete faith in them to be quite honest about how much revenue they've generated.
And they take 30% of the proceeds and send the rest back out to you via bitcoin.
So they're running the infrastructure, they are doing the bitcoin processing, they're generating the malware, and there's even, oh dear.
Obviously it's anonymous. And what you do is instead of just downloading the ransomware or the source code and going off and doing your thing, you kind of join a club.
And basically the backend to Satan generates you a unique copy of the malware, which is tailored to the ransom that you want to ask.
So you can say, well, I want to charge half a bitcoin and then I want to wait a week and then I want to ramp the price up to one bitcoin. And you can set those parameters.
So you get the malware tailored to you, you get some delivery tools, script tools that it generates for you that you can copy and paste.
Then the crooks actually deal with collecting the bitcoins. And of course, you have complete faith in them to be quite honest about how much revenue they've generated.
And they take 30% of the proceeds and send the rest back out to you via bitcoin.
So they're running the infrastructure, they are doing the bitcoin processing, they're generating the malware, and there's even, oh dear.
I'm guessing there's a fee for this.
Yeah, 30%. Oh yes, of course, yeah, yeah, that you make. And when I looked at that, I thought, I wonder where they got 30% from?
It couldn't be that they thought, hey, it worked for iTunes, it'll work for us. And I guess that's exactly what they are doing.
They said there's no upfront fee, you just pay as you go, we take 30% just for doing the collection, and you get to decide.
And the minimum, the minimum payment is 0.1 bitcoins per go, which is the current rate about $125 US.
So they've got— fortunately, the malware it generates, you know, most products like decent antivirus products these days will mop it up.
But it's just this whole kind of, well, join the club and we'll take care of everything.
And you don't— all you have to do is worry about, think about how you're going to disseminate the malware to people.
It couldn't be that they thought, hey, it worked for iTunes, it'll work for us. And I guess that's exactly what they are doing.
They said there's no upfront fee, you just pay as you go, we take 30% just for doing the collection, and you get to decide.
And the minimum, the minimum payment is 0.1 bitcoins per go, which is the current rate about $125 US.
So they've got— fortunately, the malware it generates, you know, most products like decent antivirus products these days will mop it up.
But it's just this whole kind of, well, join the club and we'll take care of everything.
And you don't— all you have to do is worry about, think about how you're going to disseminate the malware to people.
Yes, it sounds like you don't really have to be that technical at all to jump on the ransomware.
Well, you've got to get on, you have to get on to Tor and get to the actual location.
All right, that's not— but then you need to know how to pay people in bitcoins if you're going to be a victim, don't you? I mean, it's just following a process.
It's just, okay, here's the Word document, it's going to tell me how to set up Tor and how to find this place.
But ultimately, the Satan service is basically white labeling some ransomware for you, isn't it? And then all you've got to do is, what, spam it out to people or plant it somewhere?
It's just, okay, here's the Word document, it's going to tell me how to set up Tor and how to find this place.
But ultimately, the Satan service is basically white labeling some ransomware for you, isn't it? And then all you've got to do is, what, spam it out to people or plant it somewhere?
And what's really galling is there's even this kind of community part of the website where if they don't support your language for the pay page, you can go in and provide a translation and they'll verify it and then they'll make it available to everybody else.
Wow.
So there's a page where you put in your localization strings for all the text, sentences like, "Your personal files have been encrypted," and "Don't think of trying to do this yourself," and "You've got 5 days," and all that stuff.
Wow.
So there's a page where you put in your localization strings for all the text, sentences like, "Your personal files have been encrypted," and "Don't think of trying to do this yourself," and "You've got 5 days," and all that stuff.
I wonder if people are attracted to it because it distances themselves from the actual ransomware. So say, for example, it's an insider job, for instance, right?
And you wanted to get back at your employer for whatever reason you're disgruntled.
I wonder if this is attractive from that point of view, that your involvement is pretty well hidden.
And you wanted to get back at your employer for whatever reason you're disgruntled.
I wonder if this is attractive from that point of view, that your involvement is pretty well hidden.
I don't, to be honest, I don't think we've seen that many samples of this going around, so I don't think it, fortunately, it hasn't taken off as a giant business thing.
But now we've mentioned it on Smashing Security, everyone will be looking for it, right?
Yes, thanks, Duck. Thank you. As you know, on Smashing Security, we like to end our articles with a section that says what to do.
And in this one, I put this— the answer to that bit's really simple: don't. You know, don't get involved in this.
And if you do and you get caught, then please don't expect any sympathy.
The courts are not going to look kindly on you, and they're not going to say, oh well, someone else did the dirty work and I only clicked a few buttons. It's not like that.
You know, you're demanding money with menaces, and that's a pretty serious crime in any country.
And in this one, I put this— the answer to that bit's really simple: don't. You know, don't get involved in this.
And if you do and you get caught, then please don't expect any sympathy.
The courts are not going to look kindly on you, and they're not going to say, oh well, someone else did the dirty work and I only clicked a few buttons. It's not like that.
You know, you're demanding money with menaces, and that's a pretty serious crime in any country.
Don't do it, folks. Don't do it, folks.
No, do something more worthwhile with your time instead, like playing the Nintendo Classic Mini. And you know what?
If you do it and you get caught, don't ask for bail. Start doing your time because you are going to get a custodial sentence.
You may as well start eating into the time you're going to have to serve while you're remanded in custody. That's my opinion anyway.
You may as well start eating into the time you're going to have to serve while you're remanded in custody. That's my opinion anyway.
Okay, well, thank you very much, Duck. Carole, what have you got for us?
Well, I have a question to start. How would you guys feel about border control inspectors looking at the contents of your devices?
So imagine them snooping through your apps, your accounts, social media feeds, calendars, emails, etc.
So imagine them snooping through your apps, your accounts, social media feeds, calendars, emails, etc.
Well, I don't really like them looking through my underpants and socks, to be honest. I'd be pretty uncomfortable with them rifling through my laptop and my phone as well.
No, I wouldn't like it at all.
No, I wouldn't like it at all.
But it is a— I mean, in the UK, it's been the law for what is it, nearly a decade now that they have the right to do that in the same way, open your suitcase, they can look through your underpants and they can say, we want to have a look through your laptop and therefore make sure that if that bothers you, then, you know, you need to learn how to do backups properly so that you don't have to carry everything with you, which seems a good idea anyway.
Well, yes, and I think it's interesting, Duck, you say that because since the new US president's executive order on immigration and terrorism, privacy groups like the EFF have voiced concerns about an increase in the number of invasive digital practices.
This is what they're calling these searches during border inspections.
So in other words, they're worried that more travelers are being asked to surrender their devices and passcodes. Now, so I wanted to see how bad this problem was.
It turns out that in 2015, about 5,000 electronic devices were inspected. So this is a teeny tiny percentage of the 400 million US arrivals during 2015.
However, in 2016, there was a sharp rise. It went up to 23,000 searches as opposed to 5,000.
So I'm not surprised that the growing number of travelers entering the US, be they citizens or not, are looking to try and control this type of data leak at the border crossings.
So looking around the web, there's a number of articles on this with a lot of people providing advice.
But the advice got me thinking that perhaps we weren't really discussing the consequences of carrying out this advice, and I wanted to get your take on this, right?
So we've got, for example, carrying no devices or carrying wiped devices, encrypting sensitive files, refusing to comply, and then basically saying that you don't have your master password or you don't have your two-factor device with you.
So these are the types of popular advice that we're seeing. And I wanted to get your take. So what do you think about carrying no devices?
This is what they're calling these searches during border inspections.
So in other words, they're worried that more travelers are being asked to surrender their devices and passcodes. Now, so I wanted to see how bad this problem was.
It turns out that in 2015, about 5,000 electronic devices were inspected. So this is a teeny tiny percentage of the 400 million US arrivals during 2015.
However, in 2016, there was a sharp rise. It went up to 23,000 searches as opposed to 5,000.
So I'm not surprised that the growing number of travelers entering the US, be they citizens or not, are looking to try and control this type of data leak at the border crossings.
So looking around the web, there's a number of articles on this with a lot of people providing advice.
But the advice got me thinking that perhaps we weren't really discussing the consequences of carrying out this advice, and I wanted to get your take on this, right?
So we've got, for example, carrying no devices or carrying wiped devices, encrypting sensitive files, refusing to comply, and then basically saying that you don't have your master password or you don't have your two-factor device with you.
So these are the types of popular advice that we're seeing. And I wanted to get your take. So what do you think about carrying no devices?
Well, I would find— well, carrying no device at all, I'd find that quite difficult because I mean, I'm actually going on a trip next weekend overseas and I'd feel, yeah, I'd feel lost without my smartphone or something with me or an ability to call a cab.
I mean, not many people these days must be traveling with no devices. Yeah, I think it would actually be a red flag, right?
I mean, I think ultimately no one wants to get on that persons of interest list, right?
I mean, I think ultimately no one wants to get on that persons of interest list, right?
Well, not again anyway.
A lot of people are talking about wiping devices completely before you actually go through the border control.
Oh, yes, because that's not going to look suspicious, is it, if you have a completely blank smartphone?
Yeah, exactly. It's a suspicion of it.
And I think the whole thing here is about basically what you're doing is trying to deny customs and border control officers access to your data, right?
You're trying to say, and I think the passwords are just a way for them to get access to your data.
So by denying them access to your password, I don't know, you're risking being detained, you're risking your devices being seized.
And I just think it's important for people to understand this, right, before they kind of decide to exercise their civil rights.
And I think the whole thing here is about basically what you're doing is trying to deny customs and border control officers access to your data, right?
You're trying to say, and I think the passwords are just a way for them to get access to your data.
So by denying them access to your password, I don't know, you're risking being detained, you're risking your devices being seized.
And I just think it's important for people to understand this, right, before they kind of decide to exercise their civil rights.
Well, yeah, I've always been fascinated by, if you like, what jurisdiction you're in when you're airside in an airport.
I once had a trip, I had to fly from Iceland to Seattle to go to— it was a device driver fest at Microsoft. And you think, well, that's great.
I'm coming from the UK, I'm going to Iceland, and I'm going on to Seattle. Iceland's kind of halfway-ish.
But it turned out that the easiest way to fly from Iceland to Seattle is via Heathrow, believe it or not.
But I never entered the UK, and I was in this bus on the wrong side of this chain-link fence in amongst some sort of place where trucks get serviced. And clearly I wasn't in the UK.
I never had to show my passport. I never, as far as I can see, legally entered the UK.
And if I'd made a break for it and jumped over the fence, then I would have been doing something very bad, even though I have a right to be in the UK.
And I kind of figured, well, you know, what happens when you're in immigration? Where are you?
And so I think it's very— if you want to be one of those people who go, "Oh, I know my rights," maybe you don't.
Because it's not quite the same as if you'd actually gone across the line.
You're in this area where they're saying, well, we're deciding whether you go, whether we're going to let you go forward and take those rights.
I once had a trip, I had to fly from Iceland to Seattle to go to— it was a device driver fest at Microsoft. And you think, well, that's great.
I'm coming from the UK, I'm going to Iceland, and I'm going on to Seattle. Iceland's kind of halfway-ish.
But it turned out that the easiest way to fly from Iceland to Seattle is via Heathrow, believe it or not.
But I never entered the UK, and I was in this bus on the wrong side of this chain-link fence in amongst some sort of place where trucks get serviced. And clearly I wasn't in the UK.
I never had to show my passport. I never, as far as I can see, legally entered the UK.
And if I'd made a break for it and jumped over the fence, then I would have been doing something very bad, even though I have a right to be in the UK.
And I kind of figured, well, you know, what happens when you're in immigration? Where are you?
And so I think it's very— if you want to be one of those people who go, "Oh, I know my rights," maybe you don't.
Because it's not quite the same as if you'd actually gone across the line.
You're in this area where they're saying, well, we're deciding whether you go, whether we're going to let you go forward and take those rights.
We've come up with a bit of a few pieces of advice on this to help.
You know, I mean, the thing to understand is that these border searches are backed by immigration and terrorism legislation.
So that's, that's what, that's the reason they're doing this.
So in other words, being prepared to dispel any of these concerns to officers if they may, if, you know, if they occur, is a smart approach to right?
So you want to be prepared for questions like, what's the purpose of your visit? How long is the visit?
You know, have proof that you're not planning to stay in the US indefinitely, like a return ticket.
Have a clear schedule of where you're going to be, where you're going to be staying during your visit, and review what's on your devices and delete data or accounts that you don't need anymore or that you don't think is appropriate for this trip.
And encrypt anything sensitive.
You know, I mean, the thing to understand is that these border searches are backed by immigration and terrorism legislation.
So that's, that's what, that's the reason they're doing this.
So in other words, being prepared to dispel any of these concerns to officers if they may, if, you know, if they occur, is a smart approach to right?
So you want to be prepared for questions like, what's the purpose of your visit? How long is the visit?
You know, have proof that you're not planning to stay in the US indefinitely, like a return ticket.
Have a clear schedule of where you're going to be, where you're going to be staying during your visit, and review what's on your devices and delete data or accounts that you don't need anymore or that you don't think is appropriate for this trip.
And encrypt anything sensitive.
Yeah.
I mean, I'd like to think that, I hope it never happens, but it would be nice that, you know, if you searched, if I did have my device searched at customs or technically, maybe it's not customs, at the border anyway, I'd hope that I'd get the seal of approval from the guy saying, "Yes, it's obvious that you're not trying to hide everything and you've let us see enough for us to make an informed decision, but you obviously don't just carry absolutely everything with you where it could fall into the wrong hands." You want a little round of applause, don't you, Doug?
Yeah, you want a ripple.
Yeah, I didn't think that through, did I?
You know, the people, the victims of what they feel is unwarranted digital invasion when they've crossed borders. And there are many stories out there on the web.
It's not very fun for them to do. And I'm sure they feel that they've provided the same amount of information.
It's just, if you're on a list to be flagged, you know, and you're gonna be on that list indefinitely, and that makes international travel or travel to the US, it's gonna be pretty difficult.
It's not very fun for them to do. And I'm sure they feel that they've provided the same amount of information.
It's just, if you're on a list to be flagged, you know, and you're gonna be on that list indefinitely, and that makes international travel or travel to the US, it's gonna be pretty difficult.
Allow more time. Yeah.
And there's also that problem that if you do try too hard to stick up for your rights and you say, well, I'm not going to let you do it, then they can just shrug and go, okay, then you can't come in.
And they're perfectly entitled to do that.
And then the next time you go to the US or the UK or France or wherever, you have to tick that little box that says, "Have you ever been denied entry?" Yes, exactly.
And then underneath, "Tell us why."
And there's also that problem that if you do try too hard to stick up for your rights and you say, well, I'm not going to let you do it, then they can just shrug and go, okay, then you can't come in.
And they're perfectly entitled to do that.
And then the next time you go to the US or the UK or France or wherever, you have to tick that little box that says, "Have you ever been denied entry?" Yes, exactly.
And then underneath, "Tell us why."
"We know, but we want to see how you remember it." So I heard one other interesting idea of how to deal with this.
So if you are on a list, if you are someone who you think, you know, you'd be concerned if you were stopped.
Obviously, we recommend on this podcast that people encrypt their hard drives and encrypt any sensitive information. You know, it just makes general good sense.
But I've also heard this idea of you should use an encryption program which accepts more than one password. And so you have the password to decrypt your regular working computer.
But maybe the encryption software could take another password, which is the one you use at border control, which maybe opens a different image. TrueCrypt, if you remember that.
So if you are on a list, if you are someone who you think, you know, you'd be concerned if you were stopped.
Obviously, we recommend on this podcast that people encrypt their hard drives and encrypt any sensitive information. You know, it just makes general good sense.
But I've also heard this idea of you should use an encryption program which accepts more than one password. And so you have the password to decrypt your regular working computer.
But maybe the encryption software could take another password, which is the one you use at border control, which maybe opens a different image. TrueCrypt, if you remember that.
It was TrueCrypt which did that, was it? Well, it was one of them. Plausible deniability, as they call it.
The idea is that, you know, you refuse and you refuse and refuse and they beat you a little bit and you crack and you go, oh, and you give them a bit of the password, you give them a bit more and then they go, yes, we've got it.
And then they go in and there's this fake persona. Do you know how hard it is to create? Firstly, you've got a 1 terabyte hard drive, which has half a terabyte hard disk on it.
Well, that's interesting. What's in the other half? And you don't know how hard it is to build a likely image if you only keep it there for occasional stuff. I mean, think about it.
If you've got a Mac and you've split it so you've got Windows and Mac, and then after a while, possibly several minutes, you'll realize that there's not much point in booting Windows and you'll just stick in macOS all the time, right?
And so you'll boot Windows once a month, once every two months when you need to.
You're always going to be— and you know what a pain that is because you're always so far out of date, and then you have to sit for 4.5 hours while the partition you use less frequently.
Or if you have virtual machines and you only boot them once a month, you know what a pain it is. You boot them up, you think, oh, now I have to go through all the updates.
I really better do it that would have happened throughout the month. It's really hard to keep two lives in sync, intact.
The idea is that, you know, you refuse and you refuse and refuse and they beat you a little bit and you crack and you go, oh, and you give them a bit of the password, you give them a bit more and then they go, yes, we've got it.
And then they go in and there's this fake persona. Do you know how hard it is to create? Firstly, you've got a 1 terabyte hard drive, which has half a terabyte hard disk on it.
Well, that's interesting. What's in the other half? And you don't know how hard it is to build a likely image if you only keep it there for occasional stuff. I mean, think about it.
If you've got a Mac and you've split it so you've got Windows and Mac, and then after a while, possibly several minutes, you'll realize that there's not much point in booting Windows and you'll just stick in macOS all the time, right?
And so you'll boot Windows once a month, once every two months when you need to.
You're always going to be— and you know what a pain that is because you're always so far out of date, and then you have to sit for 4.5 hours while the partition you use less frequently.
Or if you have virtual machines and you only boot them once a month, you know what a pain it is. You boot them up, you think, oh, now I have to go through all the updates.
I really better do it that would have happened throughout the month. It's really hard to keep two lives in sync, intact.
Duck, maybe border security will be so bored after waiting 6 hours for all the Microsoft Windows updates to install that they'll just wave him through.
We can't deal with this any longer.
We can't deal with this any longer.
Maybe that's the way to do it.
Well, of course, once they can make an image of your files after you've decrypted them, I suppose that they don't, if they think you're not going to vanish off the face of the earth, they could always just take an image and then let you go and then deal with it later.
They can copy your whole hard drive, right?
Well, of course, once they can make an image of your files after you've decrypted them, I suppose that they don't, if they think you're not going to vanish off the face of the earth, they could always just take an image and then let you go and then deal with it later.
They can copy your whole hard drive, right?
And say, off you go.
They know where you're staying.
So I guess what's changed the game a lot, and I can understand this, is the fact that at least the premium versions of Windows and all the Linuxes and all MacOses have— well, in macOS, FileVault, for example, BitLocker on Windows— they have this strong full disk encryption.
And man, you should be using that. It's not there because you're a crook or a terrorist.
It's there because people lose laptops, and it shouldn't be so easy that a crook can wander up, boot your device off a USB key and copy off every single file without even needing to know how that works.
Can be automated. It shouldn't be that easy. So you should be using full disk encryption.
But then I guess the flip side is that means that at the border they can't just go, okay, we're going to take an image, we're going to image your disk, because then they get the encrypted image and it would be no use.
So I guess that's also, as more and more people try to comply with what say the Information Commissioner's Office would love them to do and not have unencrypted laptops wandering around in public, as you try and do the right thing from one side of the government's viewpoint, then the other side is in this position that they actually have to sort of stop you and say, look, you need to put in your password.
So I guess what's changed the game a lot, and I can understand this, is the fact that at least the premium versions of Windows and all the Linuxes and all MacOses have— well, in macOS, FileVault, for example, BitLocker on Windows— they have this strong full disk encryption.
And man, you should be using that. It's not there because you're a crook or a terrorist.
It's there because people lose laptops, and it shouldn't be so easy that a crook can wander up, boot your device off a USB key and copy off every single file without even needing to know how that works.
Can be automated. It shouldn't be that easy. So you should be using full disk encryption.
But then I guess the flip side is that means that at the border they can't just go, okay, we're going to take an image, we're going to image your disk, because then they get the encrypted image and it would be no use.
So I guess that's also, as more and more people try to comply with what say the Information Commissioner's Office would love them to do and not have unencrypted laptops wandering around in public, as you try and do the right thing from one side of the government's viewpoint, then the other side is in this position that they actually have to sort of stop you and say, look, you need to put in your password.
Well, it's an interesting topic, isn't it? Carole, is there anywhere where people can go to read more about this and get some advice?
Thank you. Yeah, I'd recommend actually reading this great article by The Grugq.
He's a security and counterintelligence expert, and he deals with the consequences pretty honestly, I felt. So there's a note in the show links for anyone who wants to read more.
And finally, if anyone actually feels like they've been a victim of unwarranted digital invasion, the EFF would love to hear from you.
So do email if you have a story to tell. Was that a pun, unwarranted?
He's a security and counterintelligence expert, and he deals with the consequences pretty honestly, I felt. So there's a note in the show links for anyone who wants to read more.
And finally, if anyone actually feels like they've been a victim of unwarranted digital invasion, the EFF would love to hear from you.
So do email if you have a story to tell. Was that a pun, unwarranted?
Because that's part of the legalese, isn't it?
That actually when you're in that, what you might call the no man's land, then the usual stuff about warrants and First, Second, Third, Fourth, Fifth Amendments don't really apply.
You're in a kind of, you're in a zone with sort of its own laws, its own different regulations.
That actually when you're in that, what you might call the no man's land, then the usual stuff about warrants and First, Second, Third, Fourth, Fifth Amendments don't really apply.
You're in a kind of, you're in a zone with sort of its own laws, its own different regulations.
Yeah, I think Edward Snowden was lost in one, wasn't he, for a while? I think at Moscow Airport. And then of course Thom Hanks famously.
Wasn't Snowden actually, he was in transit, but it was actually in some, like the nth floor of the hotel outside the airport. And then he couldn't leave the hotel or something.
It does get, and of course we've got Mr. Assange in the Ecuadorian flat in Kensington, and he's not in the UK, but he's certainly in the British Isles.
So it gets a bit legally crazy in places like that, doesn't it? It does.
It does get, and of course we've got Mr. Assange in the Ecuadorian flat in Kensington, and he's not in the UK, but he's certainly in the British Isles.
So it gets a bit legally crazy in places like that, doesn't it? It does.
Well, look, I think our time is up. Thank you very much, Paul, for joining us today. It's fantastic as always to have you on the podcast. Thank you, Carole, as well.
Don't forget, folks, we're on iTunes and Google Play Music and Stitcher and Overcast and all kinds of other podcast apps as well.
Even if you have one of those ghastly Amazon Echos, you can get us — if you have one of them, oh, that's the ever-seeing eye of Sauron in your kitchen.
If you're using one of those things, you can also listen to the podcast there. So check us out. Please leave a review. It really, really helps.
We really appreciate everybody who's leaving us reviews on iTunes.
It's fantastic and gives us more exposure to other people and hopefully spreads the word and really makes a big difference. So thanks for tuning in.
If you the show, tell your friends. And follow us on Twitter. We are @SmashingSecurity. That's "smashin" without a G "security" because Twitter wouldn't give us enough characters.
Why isn't our podcast name Smashin Security? Because we're on episode 11 now, Carole. It's going to be confusing. Do you think we should change the name of the podcast?
Tell us on Twitter if we should change the name of the podcast. Why not? Thanks, chaps. And we'll be back with you next week. Toodaloo. Bye. Bye.
Don't forget, folks, we're on iTunes and Google Play Music and Stitcher and Overcast and all kinds of other podcast apps as well.
Even if you have one of those ghastly Amazon Echos, you can get us — if you have one of them, oh, that's the ever-seeing eye of Sauron in your kitchen.
If you're using one of those things, you can also listen to the podcast there. So check us out. Please leave a review. It really, really helps.
We really appreciate everybody who's leaving us reviews on iTunes.
It's fantastic and gives us more exposure to other people and hopefully spreads the word and really makes a big difference. So thanks for tuning in.
If you the show, tell your friends. And follow us on Twitter. We are @SmashingSecurity. That's "smashin" without a G "security" because Twitter wouldn't give us enough characters.
Why isn't our podcast name Smashin Security? Because we're on episode 11 now, Carole. It's going to be confusing. Do you think we should change the name of the podcast?
Tell us on Twitter if we should change the name of the podcast. Why not? Thanks, chaps. And we'll be back with you next week. Toodaloo. Bye. Bye.
Graham. Don't you have something to share with us before we go?
Something to share with you before we go?
Yes. Think, think, think.
Oh yes, you're right. Absolutely. We have to say thank you to FourSys who are supporting the show this week and they've got a fantastic offer for Smashing Security listeners.
If you go to foursys.co.uk/toolkit, you can download their pack which gives you everything you need to raise awareness about computer security issues inside your organization and train your staff.
Do you remember the URL, Carole?
If you go to foursys.co.uk/toolkit, you can download their pack which gives you everything you need to raise awareness about computer security issues inside your organization and train your staff.
Do you remember the URL, Carole?
Yes. Foursys.co.uk/toolkit. How do you spell FourSys? F-O-U-R-S-Y-S.
Very good. Bye. I should charge for the jingle.
