Season 1 Episode 7: Hacker conspiracies

Bastien: The rise of cybercrime and technology has brought with it the ability to manipulate our understanding of the news. All the time we’re seeing news articles and we don’t know whether it’s fake or not. We even have president’s such as Trump stating that factual news is fake. So the public really don’t have much of an understanding of what they should believe.

Fake news spread huge amounts of fear in our community, things from racial hate to disliking of certain communities and mistrust in government. It’s all basically driving us apart, which is essentially the aim of the individuals perpetrating this news. Some obvious examples include alerts on Facebook saying that there’s a new virus and you need to download the software to protect yourself. Often the software is written by a criminal and will spread the malware that you thought you were protecting yourself from. Particularly for non-technical people, it becomes a minefield trying to navigate what’s real and what’s not. 

I’ve got Fergus Brooks here, formerly from AON Insurance. He’s got some really good insight into this particular field and some interesting theories as well.

Fergus: There’s been manipulation of Facebook and other social media in order to impact elections. That’s interesting with federal elections coming up in both the US and Australia, to see how these platforms will handle that. There was also the Cambridge Analytica issue whereby a company had been harvesting information about people from their Facebook accounts and selling that information on to other individuals. It’s been very public and Facebook has since come out and said that they’re really focusing on privacy. 

I think we all agree that it’s too late now because we’ve had our accounts for ten years and they have ten years worth of information. That’s not so much a conspiracy theory as an actual fact that still was theorised for a long time earlier before it all came to the surface. There’s not a conversation that Mark Zuckerberg has with the media where he doesn’t talk about their focus on privacy. 

Bastien: A conspiracy theory we could touch on is how everyone was fascinated with the disappearance of MH370. How a modern day jetliner can just go missing out of airspace with all the radars, communication, and satellite systems and the onboard computers. It’s mind boggling really in this day and age. Obviously that raised the question: was it a cyber attack? Was it a manipulation of the airline by a national body? I don’t think anyone to this date knows fully what actually happened. You could take the common sense approach and consider the plane was attacked. 

We know that planes can be hacked, we saw the security researcher back in 2015 who repeatedly warned the FBI that it was possible to attack the infotainment system on the aircraft and take control of the aircraft command system. After he hadn’t been listened to for some time, he boarded an United Airlines flight and used USB sticks, hard drives, and a laptop to hack the aircraft. He issued a clime command and turn command to alter the trajectory of the aircraft. Ultimately, he got sent to jail but he tried to do the right thing when he warned the FBI many times. He believed he did it in a safe manner, but ultimately he went to jail because he put the lives of hundreds of people at risk trying to prove a hack. 

It does beg the question: why wasn’t he listened to? Why in the world are the information and entertainment systems on the aircraft connected to the command system? I would disconnect it, wouldn’t you Fergus?

Fergus: Absolutely, we’re seeing a couple of things here. I was on a flight the other day where there’s WiFi in the cabin. It’s not very fast but you have systems that use your own devices and you connect via WiFi to the entertainment systems. You see this on a lot of airlines now where they don’t have screens anymore as they’re depending on you to use your own screen. Those devices can be loaded up with whatever you want. You’re looking at an environment up in the sky, where if it’s not completely secure we’re going to have those issues come up.

The other thing we’re seeing for the last six to seven years are things like the Boeing 787 Dreamliner and the Airbus A380 having automated systems in their WiFi. This enables the machine as soon as it comes in to land to say how much fuel it needs to the fuel tankers, any maintenance it might need, or any problems from the computer system. Let’s look at a conspiracy theory on this one: what if a terror group manages to connect into that? Thereby the maintenance isn’t correct, there’s not enough fuel in the tank – there are all these sorts of things that can happen. 

I agree with Bastien, the question about MH370 still remains. Where is it and what happened to it? We know it crashed, but how and why did it crashed with a perfectly competent pilot on board? There are so many automated systems that talk to the towers. 

Bastien: The cascading failure of the systems within MH370 makes sense with a fire happening in the cabin. The pilot would have to take so many actions to turn off the satellite systems, the onboard computer, communication systems, and the transponder – you would think that someone would notice this happening. It’s kind of logical a progression of fire moving through these systems. 

It brings home the fact that everything is connected using technology these days, and technology is susceptible to cybercrime. Cyberterrorism has a much easier role today to play to affect these systems. If we look at the Ukranian power hack by Russia, they essentially used an email spear phishing campaign to gain control of the corporate networks. Then gained control of the SCADA networks, which is a very simple signal system that allows you to turn things on and off, whether that be a valve, electrical system, switch or breaker. They managed to take control of Ukraine’s power systems and shut off power for a considerable amount of time. 

Now these SCADA systems exist all over the place. If we use Australia as an example, our gas and electrical systems are controlled by them. A lot of the time these systems aren’t particularly well secured. We ourselves have experienced hacking SCADA systems for organisations, and we have a hundred percent success record. We’re pretty good at what we do but so are cybercriminals and cyberterrorists out there. It’s a pretty scary prospect that all these systems could be so easily manipulated, changed, hacked, and breached into. 

A new tool came out this week from Kevin Mitnick, a security researcher, called USB Ninja. This looks exactly like a USB cable that you would charge your phone or connect your laptop with. It has many variants from USB-C to micro-USB. You plug in this cable to your computer and it instantly gives a backdoor and allows the attacker entire access to your system. These have already been sold online. A fully patched Windows 10 or Mac OS X environment has no solution for this hack at the moment. So be careful of what cables you use, think twice before using the free phone charges at foreign airports in particular. The sockets even have the ability to pull the contacts out of your phone or backdoor software into your laptops. Given just how innocent these devices look, start looking around you right now. 

Fergus: It’s become so ubiquitous that in Sydney we even have charging stations in ferries. I don’t know if those charging stations were put there by Sydney Ferries, I don’t know if they were tested or if people can replace the cables. But they get used all the time by people on their way back home or on the way to work with no charge.

Bastien: Everyone has so much capability these days. You can buy a 3D printer for around AUD $1500 and print something that will fit and look completely customised for Sydney Ferries. Criminals for a long time now have been 3D printing devices that clip over the card slot of the ATM where you get money. It looks entirely legitimate and normal, and when you swipe your card through they have all your details. They can put a camera on that device as well to watch you put your pin in. 

Fergus: I don’t know how this goes as conspiracy theories, but I think in the upcoming federal elections in the US and Australia we’ll see a lot of interesting aspects to people trying to manipulate votes. I think that’s been proven by the Trump election, but we’ll also see whether that will apply to the Australian election because people tend to be disillusioned. You’ll also have corporate interests and corporate sponsorship seeing whether or not they can influence the election. The fact that sometimes criminals sponsor the corporates, and the corporates have their favourite politicians that they support, shows that there’s a whole world of it going on.

Bastien: Looking at how a cyberterrorist might influence an election, think about when you’re using any of your internet connected devices. We’ve all experienced this: when looking at buying something we’ll happen to be searching about various websites for it and all of a sudden every single website that you go to the advertisement seems to be about what you were just searching for. Now that’s using cookies, but we as humans generate so much content that can be used or stolen. They can even be used to target individuals to push them into certain actions. For example, we’ve got devices like the Google Home and Alexa that are listening to everything we say, and they’re basically listening for a keyword like “Hey Google/Alexa.” That means they’re recording constantly. Those two devices may not actually be used maliciously, but it definitely begs the question: can they be used to understand who you are as a person? 

Pretty quickly, say for an election, we can get a fair idea of which way I’m going to vote. You can basically cause fear in individuals to skew their vote in a certain way. There’s been a lot of fake news about negative gearing, terrorism, and such. I’ve had conversations with people I went to school with that I would’ve never considered to be racist, but after so much fake news and information that they perceive to be real, they’re on the bandwagon ready to vote for someone like Pauline Hanson because they’re scared that their life is going to be changed. Now that’s just an example of how news and the media and cyberterrorism could be used to gather content about an individual and then suggestively help them down a path of voting for a particular individual or party.

Fergus: In the case of Cambridge Analytica, they were paying for ads and Facebook has the capability to target the ads towards your behaviours. It’s no wonder that people are falling for it because they see it there and think it’s real news and that everyone on Facebook is seeing the same news, as opposed to just seeing something that’s specifically targeting you. That’s what we discovered when Cambridge Analytica had been doing this, and other companies too, all because Facebook allowed them access to apps.

Bastien: We live in a time when cyberterrorists have way too much control over our actions and a lot of it is fear mongering and pushing us down a certain road. Obviously when we’re confronted with fear or a reality that we don’t like, the natural reaction is anger, and so it creates an action. That action can be exactly what these guys want you to do.

Fergus: I wanted to touch on blockchain and other cryptocurrencies like Monero. Many people have been claiming that blockchains aren’t secure technology, but that’s incorrect as the blockchain is designed to be secure. But where we’ve seen problems with it have not been in the blockchains themselves, it’s been in the administration of them. People need to understand that, and also the fact that people are using cryptocurrencies and blockchain in order to support organised crime and cyberterrorism; that’s how money is getting in untraceably. I have a couple of former colleagues at the FBI who explain how it makes it incredibly difficult to track these actions back to the source. What we’re seeing is a lack of capability for law enforcement to get on top of this because of features like untraceable cryptocurrency. 

Bastien: If you look at the history of crime about ten years ago, if you perpetrated a crime and ended up with a significant amount of money in your possession it was a reasonably complex task to either create fake identities or bank accounts to move funds around. Whereas today you can essentially transfer digital cash in the form of USD or AUD straight into something like Monero. For a criminal it’s far easier to gain cyber access to an environment, breach into the banking systems of a business or individual, and then use a website to transfer funds into Monero (which is similar to Bitcoin but uses a stack that makes it untraceable, similar to say the old school numbered Swiss bank accounts we all wish we had).

Fergus: To go back to the topic of the internet of things and SCADA systems in particular, which I refer to as one of the families of industrial control systems. There’s been a theory of the IT security industry a long time now, that at some stage we’re going to see a flip from the focus on financial crime to infecting these physical systems, because there’s not a level of security on these systems. The scary thing about this is that these are critical systems, as Bastien mentioned, they’re connected to gas and electricity. In Australia, someone even got into a dam and opened up the sluice gates due to a weak password. These systems are becoming increasingly connected and I don’t know that we’re necessarily taking as much consideration into the security of these systems that are being connected up. 

The other thing that happens is that engineers, who typically look after these systems (not IT), will reason that it’s on a different network to the internet connected infrastructure. In a lot of cases that’s definitely not true. The same worms and viruses that can impact a corporate network, which we see all the time, could potentially take down the infrastructure. Or there could be an extortion to take down this critical infrastructure that’s not being considered much by the IT. 

Bastien: A reality of working in the cyber research field is that we’re constantly exposed to these vulnerabilities and exploits that exist. Nearly everyone in the industry has thought about their perfect cybercrime. I tell the junior interns that join CTRL Group that they will think about these things and there’s no way to prevent that. But there’s a lot more money to be made by being on the good side, and we call that the “white hat” side of cybercrime. These are the security researchers that work tirelessly everyday to find these exploits and create software, patches or processes to prevent them from happening. But if you were to create crime you’d be looking over your shoulder for the rest of your life. Luckily, for 99.99% of us, we don’t go down that path. 

But if I were to be asked about the perfect crime and for some reason we needed to unlock millions of dollars very quickly, I’d look into invoice payments. I’m personally aware of companies that process about 90,000 invoices a day in the order of millions going in and out of their bank accounts. The security posture that is protecting these procurement systems is pretty poor. We do a lot of work at CTRL Group to help these organisations harden and fortify their banking and payment systems, particularly the invoice and procurement systems to prevent this kind of fraud happening. 

The truth of it is that it’s very easy to infiltrate a network via an email phishing attack, voice phishing attack or even a device attack like the USB Ninja cable or a keylogger. Then basically change bank account numbers and redirect funds to something like a Monero cryptocurrency, and you could walk away with millions of dollars overnight. If you were clever enough you could do this in such a way that would be basically untraceable by today’s taskforce of police and FBI and the global community trying to prevent these things. 

That’s where we are today, we need to move away from these things, and instead of thinking of cryptocurrency and blockchain as a negative thing, we need to actually use these technologies and systems to secure the process end-to-end to make it far more difficult for a cybercriminal or cyberterrorist to steal these funds. But for me, the perfect cybercrime in this day and age would be some kind of banking man-in-the-middle attack to redirect funds into a cryptocurrency of some kind.

Fergus: I’ve seen insurance claims for these exact scenarios. Coming through the vulnerability chain looking for zero-hour vulnerabilities and exploiting them quickly. Zero-hour’s are not known by firewalls or antivirus as of yet and haven’t had time to be covered up. Where you’re exactly right, Bastien, and we’re starting to see this adoption by a lot of companies testing it, is using the blockchain to secure things that can be stolen. 

A good example of that is healthcare records, you can use the blockchain to store records in a distributed ledger system. What that means is you can update the ledger as changes get made and it still remains secure without you building a big amount of paper trail that can get you into trouble. I think adaption on our part goes to what organisations can do, individuals can potentially stop being so skeptical about blockchain and cryptocurrency because it’s established now. Doing thorough testing over these new technologies to make sure they’re going to work and be administered properly is another critical direction forward. 

Bastien: You touched on zero-hour vulnerabilities, traditionally these were code snippets, software that was written by a hacker or cyberterrorist to infiltrate a system. Up until fairly recently, there was no real way of preventing these things from happening. Other than one poor organisation or individual experiencing some kind of malicious action and then research companies like Symantec or the CVE database would catalogue what happened, understand the code, and send out a virus or firewall update that would not enable this particular code to work anymore. 

But we now have technologies that work in a different way. We look at what is normal behaviour, normal file usage, and even normal data behaviour on a network. Once you have a thorough understanding of what’s normal it’s pretty easy to see the sore thumb sticking out of some strange code packet doing some strange things on a device. We call that user behaviour analytics or network behaviour analytics. It’s essentially using machine learning and algorithms to look at what the norm is and then using computer processing power to understand what’s not normal and stopping those processes. So we do now have a way to protect against zero-hour vulnerabilities, but unfortunately organisations are either not deploying these agents or not taking cybercrime seriously, and they’re still relying on the antivirus or firewall to protect them.

News is just thrown at us left right and centre across multiple devices at work, home and on the TV, on your phone, mobile and IoT devices at home. What I would really suggest that everyone do is: when you get that emotional reaction from some piece of news, don’t just read it and incite some kind of emotional response. That’s what these cyberterrorists want you to do. Spend even thirty seconds to do a bit of research and ask: is this information true? Is the source reliable? Should I really be sharing this? Once you’ve done that piece of research, by all means share it if you believe it to be important. Right now, everyone is reading everything and believing it to be true and then sharing it. It acts like a massive amplifier for these criminals to blast out whatever message they want to manipulate us. 

Do a little bit of research, think twice before sharing, and hopefully we can all live in a better, safer world