![Can you get hacked after which prosecuted for it? [Audio + Text] – Naked Security](https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2023/02/nsp-1200.png?w=775 "Can you get hacked after which prosecuted for it? [Audio + Text] – Naked Security")
DOUG. Patches, fixes and crimelords – oh my!
Oh, and yet one more password supervisor within the information.
All that, and extra, on the Naked Security podcast.
[MUSICAL MODEM]
Welcome to the podcast, all people.
I’m Paul Ducklin; he’s Doug Aamoth…
..suppose I acquired that backwards, Paul: *I* am Doug Aamoth; *he* is Paul Ducklin.
Paul, we like to start out the present with a This Week in Tech History section.
And I’d wish to submit one thing from very latest historical past.
This week, on 06 February 2023, our personal Paul Ducklin…
DUCK. [DELIGHTED] Woooooo!
DOUG. …revealed an interview with expertise journalist Andy Greenberg about his new ebook, “Tracers in the Dark – the Global Hunt for the Crime Lords of Cryptocurrency.”
Let’s hearken to a fast clip…
[MUSICAL STING]
PAUL DUCKLIN. There’s actually been a fascination for many years to say, “You know what? This encryption thing? It’s actually a really, really bad idea. We need backdoors. We need to be able to break it, somebody has to think of the children, etc, etc.”
ANDY GREENBERG. Well, it’s attention-grabbing to speak about crypto backdoors, and the authorized debate over encryption that even regulation enforcement can’t crack.
I believe that, in some methods, the story of this ebook exhibits that that’s typically not essential.
I imply, the criminals on this ebook have been utilizing conventional encryption.
They have been utilizing Tor and the Dark Web.
And none of that was cracked to bust them.
[MUSICAL STING]
DUCK. I do know I’d say this, Doug, however I strongly advocate listening to that podcast.
Or, when you desire to learn, go and look by way of the transcript, as a result of…
…as I stated to Andy on the finish, it was as fascinating speaking to him because it was studying the ebook within the first place.
I totally advocate the ebook, and he’s acquired some wonderful insights into issues like cryptographic backdoors that come not simply from opinion, however from trying into how regulation enforcement has dealt, apparently very successfully, with cybercrimes, without having to trample on our privateness maybe as a lot as some folks suppose is important.
So, some fascinating insights in there, Doug:
Tracers within the Dark: The Global Hunt for the Crime Lords of Crypto
DOUG. Check that out… that’s in the usual Naked Security podcast feed.
If you’re getting our podcast, that needs to be the one proper earlier than this.
And allow us to now transfer to a lightning spherical of fixes-and-updates.
We’ve acquired OpenSSL. we’ve acquired VMware, and we’ve acquired OpenSSH.
Let’s begin with VMware. Paul:
VMWare consumer? Worried about “ESXi ransomware”? Check your patches now!
DUCK. This grew to become an enormous story, I believe, due to a bulletin that was put out by the French CERT (Computer Emergency Response Team) on Friday of final week.
So. that might be 03 February 2023.
They merely instructed it the way it was: “Hey, there are these old vulnerabilities in VMware ESXi that you could have patched in 2000 and 2021, but some people didn’t, and now crooks are abusing them. Surprise, surprise: end result equals ransomware.”
They didn’t fairly put it like that… however that was the aim of the bulletin.
It sort of became a little bit of a information storm of [STARTLED VOICE], “Oh, no! Giant bug in VMware!”
It appears as if folks have been inferring, “Oh, no! There’s a brand new zero-day! I’d better throw out everything and go and have a look!”
And in some methods, it’s worse than a zero-day, as a result of when you’re liable to this specific boutique cybergang’s assault, ending in ransomware…
…you’ve been weak for 2 years.
DOUG. A 730-day, really…
DUCK. Exactly!
So I wrote the article to elucidate what the issue was.
I additionally decompiled and analysed the malware that they have been utilizing on the finish.
Because I believe what lots of people have been studying into this story is, “Wow, there’s this big bug in VMware, and it’s leading to ransomware. So if I’m patched, I don’t need to do anything, and the ransomware won’t happen.”
And the issues are that these holes can be utilized, basically, for getting root entry on ESXi bins, the place the crooks don’t have to make use of ransomware.
They might do knowledge stealing, spam sending, keylogging, cryptomining, {insert least-favourite cybercrime right here}.
And the ransomware device that these crooks are utilizing, that’s semi-automated however can be utilized manually, is a standalone file scrambler that’s designed to scramble actually huge recordsdata shortly.
So they’re not absolutely encrypted – they’ve configured it so it encrypts a megabyte, skips 99MB, encrypts a megabyte, skips 99MB…
…so it’ll get by way of a multi-gigabyte or perhaps a terabyte VMDK (digital machine picture file) actually, actually shortly.
And they’ve a script that runs this encryption device for each VMware picture it could actually discover, all in parallel.
Of course, anyone might deploy this specific device *with out breaking in by way of the VMware vulnerability*.
So, when you aren’t patched, it doesn’t essentially finish in ransomware.
And if you’re patched, that’s not the one method the crooks might get in.
So it’s helpful to tell your self concerning the dangers of this ransomware and the way you may defend in opposition to it.
DOUG. OK, excellent.
Then we’ve acquired a pokeable double-free reminiscence bug in OpenSSH.
That’s enjoyable to say…
OpenSSH fixes double-free reminiscence bug that’s pokable over the community
DUCK. It is, Doug.
And I assumed, “It’s quite fun to understand,” so I wrote that up on Naked Security as a method of serving to you to know a few of this memory-related bug jargon.
It’s fairly an esoteric downside (it most likely received’t have an effect on you when you do use OpenSSH), however I nonetheless suppose that’s an attention-grabbing story, as a result of [A] as a result of the OpenSSH workforce determined that they might disclose it of their launch notes, “It doesn’t have a CVE number, but here’s how it works anyway,” and [B] it’s a fantastic reminder that reminiscence administration bugs, notably whenever you’re coding in C, can occur even to skilled programmers.
This is a double-free, which is a case of the place you end with a block of reminiscence, so that you hand it again to the system and say, “You can give this to another part of my program. I’m done with it.”
And then, afterward, somewhat than utilizing that very same block once more after you’ve given up (which might be clearly dangerous), you hand the reminiscence again once more.
And it sort of appears like, “Well, what’s the harm done? You’re just making sure.”
It’s like working again from the automobile park into your condominium and going up and checking, “Did I really turn the oven off?”
It doesn’t matter when you return and it’s off; it solely issues when you goes again and you discover you didn’t flip it off.
So what’s the hurt with a double-free?
The downside, in fact, is that it could actually confuse the underlying system, and that might result in anyone else’s reminiscence changing into mismanaged or mismanageable in a method that crooks might exploit.
So when you don’t perceive how all that stuff works, then I believe that is an attention-grabbing, maybe even an vital, learn…
…though the bug within reason esoteric and, so far as we all know, no person has discovered a solution to exploit it but.
DOUG. Last however actually not least, there’s a high-severity knowledge stealing bug in OpenSSL that’s been mounted.
And I’d urge folks, when you’re like me, moderately technical, however jargon averse…
…the official notes are chock stuffed with jargon, however, Paul, you do a masterful job of translating stated jargon into plain English.
Including a dynamite explainer of how reminiscence bugs work, together with: NULL dereference, invalid pointer dereference, learn buffer overflow, use-after-free, double-free (which we simply talked about), and extra:
DUCK. [PAUSE] Well, you’ve left me barely speechless there, Doug.
Thank you a lot on your sort phrases.
I wrote this one up for… I used to be going to say two causes, however sort-of three causes.
The first is that OpenSSH and OpenSSL are two fully various things – they’re two fully completely different open supply initiatives run by completely different groups – however they’re each extra-super-widely used.
So, the OpenSSL bug specifically most likely applies to you someplace in your IT property, as a result of some product you’ve acquired someplace virtually actually consists of it.
And if in case you have a Linux distro, the distro most likely gives its personal model as effectively – my Linux up to date the identical day, so that you need to go and test for youself.
So I wished to make folks conscious of the brand new model numbers.
And, as we stated, there was this dizzying load of jargon that I assumed was price explaining… why even little issues matter.
And there’s one high-severity bug. (I received’t clarify kind confusion right here – go to the article if you need some analogies on how that works.)
And this can be a case the place an attacker, possibly, simply could possibly set off what look like completely harmless reminiscence comparisons the place they’re simply evaluating this buffer of reminiscence with that buffer of reminiscence…
…however they misdirect one of many buffers and, lo and behold, they’ll work out what’s in *your* buffer by evaluating it with identified stuff that they’ve put in *theirs*.
In principle, you would abuse a bug like that in what you may name a Heartbleed sort of method.
I’m positive all of us keep in mind that, if our IT careers return to 2014 or earlier than – the OpenSSL Heartbleed bug, the place a shopper might ping a server and say, “Are you still alive?”
“Heartbleed heartache” – must you REALLY change all of your passwords instantly?
And it could ship a message again that included as much as 64 kilobytes of additional knowledge that presumably included different folks’s secrets and techniques by mistake.
And that’s the issue with reminiscence leakage bugs, or potential reminiscence leakage bugs, in cryptographic merchandise.
They, by design, usually have much more to cover than conventional packages!
So, go and skim that and undoubtedly patch as quickly as you’ll be able to.
DOUG. I can’t consider that Heartbleed was 2014.
That appears… I solely had one youngster when that got here out and he was a child, and now I’ve two extra.
DUCK. And but we nonetheless discuss it…
DOUG. Seriously!
DUCK. …as a defining reminder of why a easy learn buffer overflow will be fairly catastrophic.
Because lots of people are inclined to suppose, “Oh, well, surely that’s much less harmful than a *write* buffer overflow, where I might get to inject shellcode or divert the behaviour of a program?”
Surely if I can simply learn stuff, effectively, I would get your secrets and techniques… that’s dangerous, nevertheless it doesn’t let me get root entry and take over your community.
But as many latest knowledge breaches have proved, typically with the ability to learn issues from one server could spill secrets and techniques that allow you to log right into a bunch of different servers and do a lot naughtier issues!
DOUG. Well, that’s a fantastic segue about naughty issues and secrets and techniques.
We have an replace to a narrative from Naked Security previous.
You could recall the story from late final yr about somebody breaching a psychotherapy firm and stealing a bunch of transcripts of remedy periods, then utilizing that data to extort the sufferers of this firm.
Well, he went on the run… and was simply just lately arrested in France:
DUCK. This was a really ugly crime.
He didn’t simply breach an organization and steal a load of knowledge.
He breached a *psychotherapy* firm, and doubly-sadly, that firm had been completely remiss, it appears, of their knowledge safety.
In reality, their former CEO is in bother with the authorities on expenses that themselves might lead to a jail sentence, as a result of they simply merely had all this dynamite data that they actually owed it to their sufferers to guard, and didn’t.
They put it on a cloud server with a default password, apparently, the place the criminal stumbled throughout it.
But it’s the character of how the breach unfolded that was really terrible.
He blackmailed the corporate… I consider he stated, “I want €450,000 or I’ll spill all the data.”
And in fact, the corporate had been conserving schtumm about it – for this reason the regulators determined to go after the corporate as effectively.
They’d been conserving quiet about it, hoping that nobody would ever discover out, and right here comes this man saying, “Pay us the money, or else.”
Well, they weren’t going to pay him.
There was no level: he’d acquired the date already, and he was already doing dangerous issues with it.
And so, as you say, the crooks determined, “Well, if I can’t get €450,000 out of the company, why don’t I try hitting up each and every person who had psychotherapy for €200 each?”
According to well-known cybersleuth journo Brian Krebs, his extortion be aware stated, “You’ve got 24 hours to pay me €200. Then I’ll give you 48 hours to pay €500. And if I haven’t heard from you after 72 hours, I will tell your friends, and family, and anyone who wants to know, the things that you said.”
Because that knowledge included transcripts, Doug.
Why on earth have been they even storing these issues by default within the first place?
I shall by no means perceive that.
As you say, he did flee the nation, and he acquired arrested “in absentia” by the Finns; that allowed them to situation a global arrest warrant.
Anyway, now he’s going through the music in France, the place, in fact, the French are in search of to extradite him to Finland, and the Finns are in search of to place him in court docket.
Apparently he has kind [US equivalent: priors] for this. Doug.
He’s been convicted of cybercrimes earlier than, however again then, he was a minor.
He’s now 25 years outdated, I do consider; again then he was 17, so he acquired a second likelihood.
He acquired a suspended sentence and a small nice.
But if these allegations are appropriate, I believe a variety of us suspect that he received’t be getting off so frivolously this time, if convicted.
DOUG. So this can be a good reminder that you would be able to be – when you’re like this firm – each the sufferer *and* the offender.
And yet one more reminder that you’ve got to have a plan in place.
So, now we have some recommendation on the finish of the article, beginning with: Rehearse what you’ll do when you undergo a breach your self.
You’ve acquired to have a plan!
DUCK. Absolutely.
You can’t make it up as you go alongside, as a result of there merely is not going to be time.
DOUG. And additionally, when you’re an individual that’s affected by one thing like this: Consider submitting a report, as a result of it helps with the investigation.
DUCK. Indeed it does.
My understanding is that, on this case, loads of individuals who acquired these extortion calls for *did* go to the authorities and stated, “This came out of the blue. This is like being assaulted in the street! What are you going to do about it?”
The authorities stated, “Great, let’s collect the reports,” and meaning they’ll construct a greater case, and make a stronger case for one thing like extradition.
DOUG. Alright, excellent.
We will spherical out our present with: “Another week, another password manager on the hot seat.”
This time, it’s KeePass.
But this specific kerfuffle isn’t so easy, Paul:
Password-stealing “vulnerability” reported in KeePass – bug or characteristic?
DUCK. Actually, Doug, I believe you would say that it’s very easy… and immensely difficult on the similar time. [LAUGHS]
DOUG. [LAUGHS] OK, let’s discuss how this really works.
The characteristic itself is sort of an automation characteristic, a scripty-type…
DUCK. “Trigger” is the time period to seek for – that’s what they name it.
So, for instance, whenever you save the [KeePass] database file, for instance (possibly you’ve up to date a password, or generated a brand new account and also you hit the save button), wouldn’t or not it’s good when you might name on a customized script of your individual that synchronises that knowledge with some cloud backup?
Rather than attempt to write code in KeePass to take care of each doable cloud add system on the earth, why not present a mechanism the place folks can customise it if they need?
Exactly the identical whenever you attempt to use a password… you say, “I want to copy that password and use it.”
Wouldn’t or not it’s good when you might name on a script that will get a duplicate of the plaintext password, in order that it could actually use it to log into accounts that aren’t fairly so simple as simply placing the info into an online kind that’s in your display?
That is likely to be one thing like your GitHub account, or your Continuous Integration account, or no matter it’s.
So these items are known as “triggers” as a result of they’re designed to set off when the product does sure issues.
And a few of these issues – inescapably, as a result of it’s a password supervisor – take care of dealing with your passwords.
The naysayers really feel that, “Oh, well, those triggers, they’re too easy to set up, and adding a trigger isn’t protected itself by a tamper-protection password.”
You need to put in a grasp password to get entry to your passwords, however you don’t need to put within the grasp password to get entry to the configuration file to get entry to the passwords.
That’s, I believe, the place the naysayers are coming from.
And different individuals are saying, “You know what? They have to get access to the config file. If they’ve got that, you’re in deep trouble already!”
DOUG. “The people” embody KeePass, who’s saying, “This program is not set up to defend against someone [LAUGHS] who’s sitting in your chair when you’ve already logged into your machine and the app.”
DUCK. Indeed.
And I believe the reality might be someplace within the center.
I can see the argument why, when you’re going to have the passwords protected with the grasp password… why don’t you shield the configuration file as effectively?
But I additionally agree with individuals who say, “You know what? If they’ve logged into your account, and they’re on your computer, and they are already you, you kind-of came second in the race already.”
So don’t try this!
DOUG. [LAUGHS] OK, so if we zoom out a bit on this story…
…Naked Security reader Richard asks:
Is a password supervisor, regardless of which one, a single level of failure? By design, it’s a high-value goal for a hacker. And the presence of any vulnerability permits an attacker to jackpot each password on the system, no matter these passwords’ notional power.
I believe that’s a query lots of people are asking proper now.
DUCK. In a method, Doug, that’s kind of an unanswerable query.
A bit bit like this “trigger” factor within the configuration file in KeePass.
Is it a bug, or is it a characteristic, or do now we have to just accept that it’s a little bit of each?
I believe, as one other commenter stated on that exact same article, there’s an issue with saying, “A password manager is a single point of failure, so I’m not going to use one. What I’ll do is, I’ll think up *one* really, really, complicated password and I’ll use it for all my sites.”
Which is what lots of people do in the event that they aren’t utilizing a password supervisor… and as an alternative of being a *potential* single level of failure, that creates one thing that’s precisely, completely *and already* a single level of failure.
Therefore a password supervisor is actually the lesser of two evils.
And I believe there’s a variety of reality in that.
DOUG. Yes, I’d say I believe it *can* be a single level of failure, relying on the kinds of accounts you retain.
But for a lot of providers, it isn’t and shouldn’t be a single level of *whole* failure.
For occasion, if my financial institution password will get stolen, and somebody goes to log into my checking account, my financial institution will see that they’re logging in from the opposite aspect of the world and say, “Whoa! Wait a second! This looks weird.”
And they’ll ask me a safety query, or they’ll e mail me a secondary code that I’ve to place in, even when I’m not arrange for 2FA.
Most of my vital accounts… I don’t fear a lot about these credentials, as a result of there could be an computerized second issue that I’d have to leap by way of as a result of the login would look suspicious.
And I hope that expertise will get really easy to implement that any web site that’s conserving any kind of knowledge simply has that inbuilt: “Why is this person logging in from Romania in the middle of the night, when they’re normally in Boston?”
A variety of these failsafes are in place for large vital stuff that you just may hold on-line, so I’m hoping that needn’t to be a single level of failure in that sense.
DUCK. That’s a fantastic level, Doug, and I believe it sort of illustrates that there’s, when you like, a burning question-behind-the-question, which is, “Why do we need so many passwords in the first place?”
And possibly one solution to head in direction of a passwordless future is just to permit folks to make use of web sites the place they’ll select *not* to have the (air-quotes) “giant convenience” of needing to create an account within the first place.
DOUG. [GLUM LAUGH] As we mentioned, I used to be affected by the LastMove breach, and I checked out my large record of passwords and stated, “Oh, my God, I’ve got to go change all these passwords!”
As it seems, I needed to *change* half of these passwords, and worse, I needed to *cancel* the opposite half of those accounts, as a result of I had so many accounts in there…
…only for what you stated; “I have to make an account just to access something on this site.”
And they’re not all simply click-and-cancel.
Some, you’ve acquired to name.
Some, you’ve acquired to speak to somebody over dwell chat.
It’s was way more arduous than simply altering a bunch of passwords.
But I’d urge folks, whether or not you’re utilizing a password supervisor or not, check out simply the sheer variety of accounts you’ve got, and delete those you’re not utilizing any extra!
DUCK. Yes.
In three phrases, “Less is more.”
DOUG. Absolutely!
Alright, thanks very a lot, Richard, for sending that in.
If you’ve got an attention-grabbing story, remark or query you’d wish to submit, we’d like to learn it on the podcast.
You can e mail suggestions@sophos.com, you’ll be able to touch upon any one among our articles, or you’ll be able to hit us up on social: @NakedSecurity.
That’s our present for as we speak; thanks very a lot for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you till subsequent time to…
BOTH. Stay safe!
[MUSICAL MODEM]