This week on GPS Live, Jonathan and Tristan discuss leaky backups, lockscreen bypass bug bounties, and the impacts of not having a proper ransomware response plan. (Transcript below)

Tristan  01:58

Hello, hello. Hello we are back. Back again.

Jonathan  02:03

Yeah, a week off!

Tristan  02:06

A week off, and then next week also off because we have a lot of holidays.

Jonathan  02:11

Well, next week we got what, turkey day coming up, everybody gets to take a breather, right, spend some time with their their friends and family–friends-giving, Thanksgiving, whatever it is you do here in America.

Tristan  02:25

Whatever you do in America, whether you are celebrating with friends as like a friends giving thing, or with your family, or alone–Hey, that’s cool too, some of us like just chillin. We hope you guys enjoy next week. But this week, we are back with another GPS live to cover some interesting stories that we found, Jonathan and I, stories maybe that may not be the most important in cybersecurity news. But we thought they were cool.

Jonathan  02:49

Look, I do try to find at least somewhat interesting things when I’m doing my article hunts and stuff that is great for I think our audiences to hear about because of you they can relate, you know, all those things.

Tristan  03:05

Yeah, I do want to note really quickly that for this week, actually, Jonathan found all the stories.

Jonathan  03:13

WelI didn’t want to say that

Tristan  03:13

I don’t want to take any credit where it’s not due. I’m doing pretty well. How are you doing?

Jonathan  03:20

I’m doing super awesome. It is… it is definitely cold season down here in Florida and my cold season, I mean, 50s. But overall, things are things exciting. We’re wrapping up getting towards the end of the year. And that means that more and more interesting things are happening in cyber.

Tristan  03:39

More and more interesting things are happening cyber and before we talk about those things, we do need to note that the views and opinions expressed by the host of this livestream are our own and they do not necessarily represent the views and opinions of GuidePoint security. In case we say anything really stupid which we strive not to do.

Jonathan  03:59

It happens from time to time. But but but no, everybody thank you for tuning in online and from around the world. We thank you. This is GPS live for the week of November 18, 2022.

Tristan  04:15

2022, quickly coming to a close all too soon. I’m kind of mad.

Jonathan  04:20

Always flyin’ by.

Tristan  04:23

Always flyin’ by. But we have some interesting stories this week. And I think I think this first one is actually really, really interesting given what we talked about last time that we had this show. So Jonathan why don’t you go ahead and kick us off.

Jonathan  04:37

Sure thing. So even though we were off last week, but the week before we covered a little story involving some Microsoft data that was publicly accessible, and this seems to be kind of a reoccurring thing, right? This is not the first time that we’ve heard of things like an AWS s3 bucket being publicly accessible, or in the other storylike a BLOB of data being publicly accessible, generally, this kind of stuff does happen. It’s totally a permissions and a configuration issue. It’s not like these platforms are necessarily getting hacked by any means. And, and so these things continue. But it’s a little bit of a different twist on this. And so this story coming to us from dark reading, focuses around a tool set on AWS called RDS, which is a database platform that allows you to make what’s called snapshots or back for backup purposes. And in a similar nature, permissions can completely go awry–

Tristan  05:36

Which for a database, right, for a database being able to take a snapshot for a backup is actually pretty great. Given the world we live in–

Jonathan  05:42

Of course!

Tristan  05:43

 –right now, right? We live in a ransomware heavy world, your database gets encrypted, a snapshot is a great thing. This is a great tool. What could go wrong, Jonathan?

Jonathan  05:52

Well, well, here’s what goes wrong is just like any of these other you know, data storage facilities, or just services that are cloud based and online, it can be private, or it can be accidentally made public. And that is where this kind of abuse kicks in. Right?

Tristan  06:10

Yeah. The, the problem in question here being like, like you just said, when these are connected to the public Internet, one of the feature sets within this tool allows you to share these snapshots. And when you share them, you can share them outside your organization. And regardless of privilege, or role, or, or, or access that these people have to this, you can just share them publicly. And when you do that, it creates a publicly accessible snapshot that people can find and access. And what was interesting about this, is that the the researchers who were who were going about this, and looking into this, were able to find tons and tons of these publicly accessible databases, some of which were accessible–

Jonathan  06:55

Thousands!

Tristan  06:57

Thousands, right. Yeah, that, which a ton is technically 2000 pounds, so I’m gonna still say tons and tons.

Jonathan  07:05

[Laughing] Good job, good job.

Tristan  07:08

We still got there. But some of them were accessible for months. Some of them are accessible only for a short period of time. But all of that is enough time for an attacker, who knows that this is available to be able to be searching for these things. I mean, we see this all the time with open RDP, right? You can just do a scan for things that have–

Jonathan  07:27

Oh, yeah.

Tristan  07:28

–on an RDP port and openly accessible. So there’s ways for people to obviously find these and get into them. But the really interesting thing that they were looking at as they went through them, is that there is metadata associated with these databases, including a field called MasterUsername, that just often will have the company name, like the company who created this database or an acronym for them. Or sometimes it’s a specific person within that company who, who is like kind of the admin and owner of this. And then they can just do a LinkedIn search to figure out, hey, is this database actually going to be useful for me if I want to do anything?

Jonathan  08:08

Exactly. And so between, you know, it’s a configuration or a mishap error of trying to handle your, your backups and snapshots of your databases, and, you know, leaving all these breadcrumbs, bits of information that have mentioned, what was the username, the to the database is literally part of the meta. So half the challenge of how to log in, it’s already done for you. And furthermore, you know, tracing down the owner, potentially using it as part of some kind of ransom. Right, which is stuff that we’re seeing now. And, and so, yeah, the researchers are kind of putting together a mix of AWS platform tools to really pilfer and find these things. And it seems like the exposure doesn’t have to be very long. They’re saying it can be extremely short and still be accidentally discovered by a threat actor, whereas equally, there’s definitely, they’re saying they had snapshots that are there for months, right. And so at that point, it almost seems like it’s due time until somebody stumbles across it by simply knowing that the possibility exists. So, crazy stuff.

Tristan  09:20

Well and some of the databases too, that they–just so people kind of understand the scope of the problem that exists here–is that some of the databases the researchers were able to access one appeared to be from a car rental agency and include tons of PII about the customers. So car rental agency, what kind of stuff are you giving them, you’re giving them credit cards, you’re giving them driver’s license info, you’re giving insurance information, like all of those things are now accessible in this database. Another one looks like a dating service that they just call it a now defunct dating application, but that contains emails, passwords, birth dates, personal images, private messages. And that to me is actually, that sets up like a almost like a movie plot scenario, right of like a important and powerful person being blackmailed. Because accidentally their dating profile was discovered by someone else and like, you know, when your PII gets out there, whether you’re an important person or not, right, that’s all information that can be used against you. So, while that may not seem like a massive, you know, a massive risk on its face, right? If you’re, if you have one of these publicly shared applications, and there’s any PII in it whatsoever, and a customer finds out, a customer of yours finds out that the reason that they’re getting scammed right now, or the reason that they that all of their info is out there is because of this, like that liability falls back to you.

Jonathan  10:53

Yeah. And you know, it, you’re not completely helpless. So in the in the article, they do least cover a couple of tips that are helpful for people that think that they may be affected by this kind of thing, right. So Amazon RDS, does have a number of different mitigations and configurations that could at least prevent these things from happening in the first place. For instance, they offer the ability to encrypt snapshots using a KMS key, you can also do a lot more when it comes to the service control policies that will kind of trickle down and apply to the accounts and prevent these unintended sharings, as they call it, of the RDS databases. So really just just be aware, you know, they mentioned an email is sent out if you make your snapshot publicly accessible. But there’s also a bit of a gap. They said it took about 23 minutes, right, and a lot can happen in 23 minutes, because there’s bots, you know, trolling the internet looking for this stuff. 24/7.

Tristan  11:54

And if you’re using this service, they also, you know, if you go to the if you go to dark reading to look at this, and then you fall back to the original story. And the researchers do outline a process for doing a historical check using Cloud trail logs to see if any of your databases have ever had a public snapshot created. So you can at least find out hey, do any of these exist for my organization? The only problem that they do call out is that there’s currently no way to see if someone copied a public snapshot. So public snapshot has been made of a database that you own, you cannot assume that just because you found it, things are fine. Right? Immediately assume that the probably worst case scenario has already occurred and proceed from there.

Jonathan  12:43

Well, talking about worst case scenarios, Hey, can I borrow your phone? Because I no longer need your pin code apparently, apparently, in this latest article coming to us from TechCrunch, a security researcher hit a massive bug bounty. We’re talking $70,000 here, for a pin bypass on Google Pixel devices. And I first off, I’m a huge fan of bug bounty programs. I think they’re super awesome for what they deliver to a company, when it comes to just kind of crowdsourcing that research and having somebody, through bug bounty hunters, broker those conversations and validate it. And it sometimes complements the security team really well. And again, this is John’s opinion. But these are the reasons that I like it, is the $70,000 thing and so, so yeah, pin bypass was clearly valuable. And it sounds like it was just a little bit of a trick to really get it function. And it wasn’t like anything crazy at the end of the day.

Tristan  13:53

Yeah, this the way that this works is this this researcher David Schutz, I believe is the way it’s pronounced when you have the two dots around on top of the “u”. He’s a Hungarian researcher. And this came out of just he, he had a problem a personal problem of his own, he forgot his sim unlock pin. And so he went and he found the packaging for his original SIM card, he scraped off the code on the back and got his sim unlock code and entered it into his phone. When he put the new SIM card in and realized that something didn’t look right, it wanted his fingerprint right away. Now, if you don’t know this, if you don’t have an Android phone, and I do, anytime you reboot, if you’re using fingerprint as your unlock, you can’t use fingerprint until you’ve entered your phone’s pin.

Jonathan  14:47

The first go upon a reboot, you have to put in the pin and then any other session after that can be unlocked through biometrics.

Tristan  14:56

Exactly, exactly. So he you know, he turned his phone off, he swapped his SIM card in, he entered his sim unlock code. And it presented him with the fingerprint option. And he thought that’s not right. Because I’ve rebooted my phone, it should ask for the pin. I’ll look into this later. And so then he started toying around with it. And he kept on getting the same results. But one time, he forgot to turn the phone off, and reboot it before swapping the SIM. So he hot swapped the SIM tray, entered the unlock code, and it immediately brought him to the homescreen.

Jonathan  15:29

It’s so cool!

Tristan  15:31

It’s, it’s super cool. And he mentions in here, he hates finding bugs like this on accident. Like, if he’s not looking for them, he doesn’t want to find security flaws in the products that he’s using.

Jonathan  15:41

Yeah, this, this is a great example of one of those, like logic flaw cases, where it’s not necessarily a vulnerability, in hack, right, like in the sense of like, some kind of injection attack, or they had to do like a side channel attack on the hardware by changing the voltage, you know, that powers the processor, like no, this is just kind of one of those logical step flaws. Where, you know, doing something–

Tristan  16:08

Looking for a pin, phone got pin.

Tristan  16:09

 And it’s, it’s interesting to note, he tried this, he had a fully, fully updated pixel six,

Jonathan  16:09

–Yeah, yeah, you gotta, you gotta run and test it. And having a pin is standard, right. And so here, at least in America, having having a locked SIM card is pretty normal. And if anybody has ever tried to put a different SIM card in their cell phone, it’s locked to the carrier, you’re immediately asked to put in a pin for your SIM card. And so in this case, it sounded like it was a you know, ripe for opportunity. And so I was watching the video of how it happened. And yeah, you know, this, this kind of goes to show that really anybody whether you are a professional hacker or not, can can stumble across something that’s, that’s extremely valuable, especially in the bug bounty world.

Jonathan  16:23

Yup, patched, latest, newest hardware, all that stuff.

Tristan  17:02

Yep. So he grabbed an old pixel five and tried it there. And it worked there as well. So this has already been patched. Google has already released a a security patch for this and taken care of this. But yeah, speaking of like to what you were saying earlier about the the beauty of the bug bounty system is, the reason that his payout was so large is because Google offers up to $100,000 for any lockscreen bypass that affects one or more pixel device, like that is– or, that affects multiple or all pixel devices.

Jonathan  17:35

I feel like I need to get an Android, so I can start messing with it, just to see if I can, almost like a cat attack where you just poke the screen until something happens, or you just just, you know, go to town and expect it to just freak out because it’s one of those like, outlier. You can’t do it through test case. And, you know, UI testing and all that other fun stuff.

Tristan  17:59

Yep. And also just kind of interesting stuff. His his write up is actually very good. You can find the story on TechCrunch. And, and they have a link directly to his his blog. The only reason I’m not going to read off the direct link to his blog is because it’s a little bit of, like, alphabet soup kind of scenario. I think it’s xdavidhu.me. Bugs.xdavidhu.me. And I’m not going to go through the rest of it. But But yeah, it’s a very interesting story. And it you know, it’s there’s, there’s not much that we can take from this from a security perspective as like, “well, here’s how you can protect your organization from this,” right? Other than if you’re going to let people again, bring their own devices and pull their own things in, right? Like, Android offers a work profile option, like there, you take advantage of these things that you can do. So when someone wants to connect their work profile to their phone, take advantage of the fact that there are security settings that you can put in place through Google that say, Hey, this, your your work is now a device administrator on this device. And everything for your work needs to be segmented over here into this work profile. Take advantage of those things. And if there are any other security features that you can enact, enact them, I say, hoping that that doesn’t happen, because it’s just going to make my life difficult.

Jonathan  19:23

It also you know, our viewers online, right. If you’ve ever participated in a bug bounty program, if you’ve ever been paid out in a bug bounty program, we want to hear about it.

Tristan  19:31

Oh, yeah.

Jonathan  19:32

It is definitely super cool. And there are lists online, like these big lists of different businesses, including companies like Google and Facebook and Microsoft and everybody under the sun that pays top dollar to find bugs in their, you know, software and systems and responsibly disclose it directly to them and and they will reward you quite handsomely. So.

Tristan  19:56

Yeah, you know, and I have met people who that’s their primary source of income, is they, they just go around looking for bug bounty programs. And they’re like, yeah, if I can knock out 10 really simple low level bug bounties, you know, in a week, that’s enough money for me.

Jonathan  20:16

It pays you for a couple months and go and back to having a good time. So tell us about apparently some, somebody from Down Under didn’t have a good time, though, right?

Tristan  20:27

Did not have a good time. And this, this actually, I think goes goes back a little bit to some stuff we were talking about with the Amazon RDS snapshot dump, specifically around snapshots are great, because you can protect yourself from ransomware, right, by backup all your data. In this, this particular story. So this is a kind of cautionary tale, Australian insurance company Medibank was hit by ransomware. And the they did not pay the ransom, within the time allotted. And the ransom gang that hit them, followed through on their promis and published all of the data that they had, all the stolen health records that they had, for millions of Australian citizens through Medibank. They just went ahead and published it, clear text online, anyone can go look at that, right? So the hackers have claimed that they spent a month in Medibank systems. And they have posted what they’re calling “naughty” and “nice” lists of health records. So which is I mean, pretty, pretty terrible, because they’re “naughty list” includes people who are seeking treatment for things like drug addiction or eating disorders, which are medical issues. Like if you’re not choosing to have an eating disorder, right, there’s a whole great conversation we could have there. But that’s, you know, highly sensitive information that people wouldn’t want to have out in public. And because Medibank refused to pay the ransom, they went ahead and just published it all and made it public. But I think that there’s a good moral, if not a moral story, a good moral TO the story here. The moral of the story is not, “Well, then you should just pay the ransom,” the moral to the story is you should have a comprehensive ransomware response process in place for when something like this happens, right? You’re and that needs to include not just do we have backups of our databases that we can restore from, but it also includes who are the lawyers, who are the negotiators? Who are the people that we’re going to call the second we know we have ransomware in our environment, to step in and help us through the legal framework, but and then help us talk to the people holding the ransom, and figure out what they actually need and want.

Jonathan  22:48

But that’s the kicker, right? And so the article, coming to us from Gizmodo, actually goes on to explain that Medibank didn’t have cyber insurance. And cyber insurance does cover a lot of those things, right?

Jonathan  23:02

Crisis management, and how to handle PR and communications, but also the incident response, the networking, the IT, the cybersecurity services, the tools, the people, all that kind of kicks in with this. And, you know, there’s a lot of conversations that we’ve been having over the past couple of years, right, I would imagine, many of our viewers online have either been a part of or heard, you know, “Do we pay the ransom? Do we not pay the ransom? Are these ransom gangs serious when they say if I pay it, that they’re going to delete the data? And if I don’t pay it, they’re going to share it? Can we trust them? And how does that even work in the first place?” And so the ransom gang did exactly, you know, what they said was going to happen. And what a lot of people fear is, the reality is, they don’t just, you know, steal the data, but now they’re making it public as kind of doubled down for not participating and playing along. In fact, the article goes on to say that they published communications in emails that the ransom gang had with Medibank to show and authenticate that, you know, there was an attempt of negotiation, and they wanted nothing to do with it. Right. And I know here in the United States, you know, it is standard practice for law enforcement to not–to suggest to not pay, right, I believe that’s the current route. Now, obviously, if you have cyber insurance and general counsel, there may be a risk factor that is measured, and a decision may be made. But I know, generally, from my understanding, the FBI would say don’t pay as your first intuition. As in, they may not hold up their end of the deal because they are criminals at the end of the day. Or it may not, or you’re enticing more of this kind of activity by showing that it’s successful, which is really just kind of a tough position to be in from either side. So, so yeah, being able to account for not just if this is gonna happen to us, but But what do we do when right? How do we tabletop this? How do we know how to respond? And are we doing the appropriate things?

Tristan  23:02

Right

Tristan  25:15

And I want to correct something I said earlier, it is not on the open web, it’s on the dark web. You have to you have to be able to–

Jonathan  25:21

Oh, I’m sorry, I have to download Tor browser now. Okay, one extra tool?

Tristan  25:26

I yeah, I did just want to make that clear, because I did miss-speak earlier. But, you know, like, like you were saying write the note that they didn’t have cyber insurance. Having cyber insurance is obviously very important. But it’s also important to note that cyber insurance will require you to have all these things in place before they insure you. Right, so. So it’s kind of like a catch 22. They’re like, yeah, they didn’t have cyber insurance, because they didn’t have those things in place, maybe? Who knows. But they’ve been criticized for their their slow response to the attack, and to saying that they didn’t believe that the hackers had stolen any personal information or that any personal information was breached, which, again, speaks to having the properly formed response plan in place, right, having, having your PR people, having your legal people who can tell you like, this is what you can– because I’m sure that this now puts them on even more of a hook. Right? If they came out and said, “Nope, there was no problem!” And suddenly, it’s like, well, there was and did you know there was and you were just lying to try and downplay things? You know, these are these are really interesting.

Jonathan  26:34

Well, so kind of as a bit of a show note mix up I did throw in a fourth story this week and I hope that we have time to cover it.

Tristan  26:44

We will here in just a second I just want to say one thing, because we’re talking about ransomware. As a plug this week, we actually published the October GRIT (GuidePoint Research and Intelligence Team) ransomware report.

Jonathan  26:58

Do it now!

Jonathan  26:58

Nice!

Tristan  26:58

So all of their detailed analysis of ransomware that happened across the month of October. They’re tracking, I think it’s somewhere in the 40 plus groups, ransomware groups right now, and looking at their publicly posted victims and tracking all kinds of really interesting information. And they’re also keeping track of newly emerging ransomware groups. And they’ll do write ups on the most interesting ones that are coming out. So if you’re watching this live, or if you’re watching this on demand, you can head over to guidepointsecurity.com/blog, and you will see the GuidePoint Research and Intelligence Team’s great ransomware report for the month of October, some really interesting stuff in there

Tristan  27:01

Yeah smash that, smash that subscribe button, ring that bell, do all the things. So this fourth story though, yes, this is actually a very interesting little tidbit that you found here.

Jonathan  27:52

Yeah, I’m actually like super fascinated with this stuff. Because it’s starting to really take, not just like a criminal enterprise take on the internet, but we’re seeing Hollywood and commercials and businesses utilizing deep fake technology, right? But but we do have a problem with it right? We’re seeing all kinds of misinformation campaigns utilizing deep fake technologies to send political messages to incite violence and confusion. And so this latest article coming to us from Gizmodo highlights an Intel technology that is capable of a 96% recognition rate of detecting fakes. And this is live.

Tristan  28:35

In real-time.

Jonathan  28:37

Right, real-time streaming video will detect whether or not within 96% accuracy, whether it is a deep fake altered video stream. And keep in mind, you know, for those that aren’t familiar with deep fakes, the idea is to replace the likeness of an individual or person within a video with somebody else, right. And so Potentially, it could make it look like a person who is a public figure, or famous, saying things that they normally wouldn’t say simply by overlaying the famous person’s face on an average Joe. And that way, you know, you wouldn’t know any different it is true deception at its finest. And I’m glad to see more capabilities around detection. We’ve seen stuff on the internet, that person doesn’t exist, which will generate an artificial human that looks really clean and clear. We’re using real-time generated graphics like tools like midjourney and open AI that are being used to create social media profiles, dating profiles, right we’ve we’ve talked about this on the show in the past, about fake people being used to target victims for either romance scams, financial scams, whatever it may be. And so, definitely really cool stuff and if anybody’s interested in learning more about the deepfake technology and how they capture it, this is a great article to kind of pivot off of and hit that rabbit hole.

Jonathan  28:38

Yeah, yeah. It’s really interesting, especially in the the age of disinformation kind of that we live in right now. And with the implosion of large social media platforms, right? This kind of stuff is just going to become all the more important to be paying attention to and be very vigilant about. So. That brings us to the end of our show, and it’s been a full half hour.

Jonathan  30:38

What a week!

Tristan  30:40

What a week it has been, we again will not be around next week.

Jonathan  30:45

Happy Thanksgiving, everybody in the United States!

Tristan  30:47

Happy Thanksgiving to all of our US viewers. And again, if you enjoyed this, go ahead and leave us a comment. We always love hearing from you guys. Whether you watch it on demand or you watched it live. We will see you again in two weeks. And until then, I have been Tristan Morris.

Jonathan  31:05

And I’m Jonathan singer,

Tristan  31:07

And we will see you in two weeks. Thanks so much everybody.

Jonathan  31:11

Take care!

Tristan  31:11

[Singing] I always forget to pull the video up. Here we go.