How to Web Live Focus Edition – The Invisible Enemy: Cybersecurity in Times of Crisis

Welcome to How to Web Live! The show you need to watch to discover the stars of the technology world sharing insights and lessons of their journeys so far. Every other Thursday, log in on Crowdcast and get inspired!

In this Focus Edition episode that aired on October 29, 2020, find out from Alex ”Jay” Balan (Chief Security Researcher at Bitdefender) more about work from home and zero trust, worldwide COVID-19 related attacks and high profile targets like governmental or healthcare institutions, in a conversation with Andrada Fiscutean (Science & Technology Journalist).

Powered by its depth of security expertise and rapid pace of research and development, Bitdefender’s long-standing mission is to deliver transformative security technologies to the world’s users and organisations.

From IoT to Data Centres, from endpoints to hybrid infrastructures – Bitdefender plays a transformational role in how security is best consumed, deployed, and managed. They strive to deliver products and services that radically alter the customer’s experience with security, in terms of efficacy, performance, ease of use and interoperability.

Jay and Andrada went behind the scenes and shared invaluable insights into Cybersecurity in Times of Crisis. Here is a sneak peek into their discussion:

Watch the full discussion on our YouTube channel here.

Listen to the full discussion on Spotify and Apple Podcasts too.

3 takeaways from Jay and Andrada’s discussion:

► “You know, just shaming companies for getting hacked is one thing. I’m not saying it’s not effective, it may be, but it’s a different story. What I’m talking about is making it a safer haven for hackers to identify and report vulnerabilities. Essentially, literally making the world a safer place in the end. But if we’re not allowed to do that, then the vulnerabilities are going to still be there for years up until somebody exploits them in a big way.” –  Jay, on why actually being hacked is less effective than letting your company get ‘professionally’ hacked.

► “One thing I’ve noticed when when it comes to their way of announcing incidents is that, more recently, I don’t feel that they shy away from mentioning the names of the companies that are hacked. I’ve recently seen something similar to this where banks have been involved. And I specifically saw the names of those banks, which is nice, because it’s maybe worth as an incentive to help them protect their systems.” – Andrada, arguing on why news related to security breaches act as an incentive for security optimisation.

► “Infosec is risk management. But here’s some tips and tricks that companies can use to kind of augment their security. First of all, and the most important thing, forget what you know. And it’s weird, I know. Do not believe that you know stuff. Because, trust me, you don’t. You’re going to learn that the hard way. Don’t forget everything that you’ve learned, but doubt everything.” – Jay said, about general beliefs that companies have regarding cybersecurity.

 

Watch and Listen to the full episode to get your own takeaways!

Are you more into Reading? The Full Transcript is below!

 

Andrada: Hi, everyone, I’m Andrada. I’m a technology journalist, and I’m not alone today I have Alex Jay Balan, script kiddie and doing infosec since 1998. He also runs the Bug Bounty Program at Bitdefender. And we’re very excited to talk to you today about what’s happening in cybersecurity and the whole picture of working from home while trying to help kids with homeschool, and also trying to be safe. Welcome, Jay.

Jay: Hey, how’s it going? How’s the pandemic treating you?

Andrada: Well, I’m also working from home, which poses additional challenges because I’m also trying to do radio from home. A few minutes ago, I just sent a news package to to the station. But other than that, I’m doing well, how are things for you, how have this months been for you?

Jay: Interesting. That’s the way I put it. I mean, for me, I actually made my peace really since March. I personally, I believe that it’s gonna last a lot. So it’s not something that’s gonna pass very soon. So this is the status quo, I’m making my peace with it, I’ve made my peace with it. And you know, I’m punching through and it’s all good. Actually, I didn’t have any kind of bad experiences, other than not being able to go to the pub as much as I would like.

Andrada: I have to ask you, what are some of the coping mechanisms that you’re using? And I’m still talking about the pandemic here, not the cybersecurity industry?

Jay: Well, I mean, my go to thing whenever I have to deal with something has always been ever since I can remember. It could be worse. You know, if you if you look at things through this prism, you know, it definitely could be a lot worse. I mean, this looks in the whole grand scheme of pandemics. I mean, from the movies that we’ve seen, I guess, you know, this is like literally the least painful, harmful pandemic that I’ve heard off. I mean, you would have expected zombies and all that stuff, you know. I mean, it’s obviously more dangerous than a cold, it’s far more dangerous, and lethal and deadly. And you need to take care of yourself, right. But, you know, staying indoors and having to deal with a kid is proven to be not that bad in the end. And I mean, again, it could be a lot worse. And I also play a lot of video games, and they like to do stuff on my computer. For me, things haven’t changed that much.

Andrada: But you’re also playing a musical instrument.

Jay: I mean, having hobbies definitely works. I would encourage everybody that doesn’t have a hobby, you definitely should have. It’s like a medicine for the brain. Having something to do having something to do kind of think about and put your mind to. Having hobbies and doing stuff is definitely exercise and medicine for the brain. Exercise for the brain is medicine for the brain. So if you don’t have a hobby, guys, get a hobby.

Andrada: I’ve heard that a lot of people have called you during this months, and have asked you questions about working from home and staying safe while doing that. And I was wondering if you could tell us what are some of the things that you suggested?

Jay: Well, I’m, we’re switching to cybersecurity now. Right?

Andrada: Yeah, we’ll go back to music and hobbies and everything else.

Jay: So because you know, if you think about it, one of the most important things in life, if not in cybersecurity, is to stay sane, right? If you want to stay safe. I mean, I guess the first thing that you got to do is they sane, you know, ‘mens sana in corpore sano’, right. If you have a healthy mind that’s gonna help having a healthy body and a healthy lifestyle. But, you know, moving to a cybersecurity, the one thing that kind of changed a little bit is the focus on the home network, right? Because everybody working from home kind of puts the focus on the home network. And if anybody would have said, like, three years ago, your home network needs to be as secure as your corporate network. That would be something unheard of. Right? And unfortunately, not a sufficient amount of people say it now. But yeah, you need to treat your home network with the same kind of rules regulation policies as you would treat your corporate network. Because if your home network security is more relaxed and you get compromised there, then well through you, your corporate network may get compromised. So that’s kind of the first thing that came to mind, ever since people started talking about work from home. And then the whole concept of eliminating the corporate network, this is the fun part, right? Because if you work from home, then you have to use a VPN to connect to corporate resource, sometimes the VPN doesn’t work, you have to reset your passwords, and you have to, you know, connect to different types of assets, which you may not have routes. This is a networking term where I say, like a path in the networking world to an asset, you need a route to a server or computer in order to be able to access it. So without the stats properly defined in your corporate environment, it can get kind of tricky. So this is why a lot of companies, including ours, have started thinking about exposing some of the assets in the intranet in order to facilitate access to employees. And that shift the mindset of the CISOs and the CIOs of the world, because, you know, you have to start eliminating the private network. So yeah, there’s a million things that kind of changed to the better. It was a long time coming. You know, these changes were supposed to happen a long time ago. Do you know who the pioneer of the, as we call it zero trust concept was?

Andrada: No, but I would be interested in knowing.

Jay: Google. And do you know why?

Andrada: No.

Jay: 10 years ago, I’m going to give it two hints: 10 years ago, Aurora, or as we say, Romania, Our Aura. Ring a bell?

Andrada: Oh, I cannot connect the two so far.

Jay: One more hint: China

Andrada: China and Aurora, and zero trust architectures?

Jay: Well, zero trust was a consequence of that. So long story short, in very few words, Google got hacked. So yeah, that internal infrastructure was compromised. And the operation name, whatever you want to call it was called Aurora. And it was compromised by China 10 years ago or more. And they started a new project, because of that called Beyond Corp, Google slash beyond Corp. You’re gonna find the foundation for what we call today’s zero trust architecture. So that’s when they gave up all the systems using a certain operating system. And they switched to Linux and Mac. And then they started to kind of have this focus on authentication and identity management, rather than having the private network. So all the access to all the assets within Google now are kind of exposed directly in the internet. And the way people have access to them is based on a different set of policies called identity management, and have a set of rules for your identity. And you have a lot of logging systems that say, you’ve been there and you’ve accessed that specific time. And then based on what was granted to you in terms of privileges, then you can access the resource x, y, z, like your development server, your GitHub server. I mean, not GitHub, probably, but Bitbucket or whatever they’re using it for, for code management, and so on and so forth. And if you get compromised, the rest of the company doesn’t get compromised. That’s kind of the magic trick here, because you can get compromised. But when you get compromised because zero trust is working under the assumption that everybody is already compromised. And then shape your whole architecture based on that assumption. And that’s a very healthy assumption. I know it’s hard to swallow for a lot of people, but it’s a very healthy assumption to assume that your employees are compromised. We have 1800 employees in the organisation that I am part of. It would be stupid to believe that at least one of them is not compromised.

Andrada: There’s a lot of conversation about COVID and working from home security and breaches even and I wondering whether you think this is just the media hype or not? Do you actually see more attacks or more changes that are implemented by companies in order to prevent attacks?

Jay: Well, I do believe it’s a media hype. But, it’s worth mentioning that in cyber crime rings, they’re always going to leverage the big news. They’re always going to deliver something that people will click on, something that would be relevant to the people. So right now they’re probably gonna leverage the US elections, you’re starting to get a sneak preview on who’s in the lead in the election, right. So they’re always going to use a message that’s very compelling for the people to click on and access and see what’s going on. For example, in March, I think end of February, early March, everybody was looking for statistics on COVID. Right. And, and back then, there was a new file on the internet that that was called Coronavirus lifemap.exe. I think it was a banking stealing Trojan, it was in France, it was a backdoor that apparently didn’t do anything on your system, it would display a map, you would believe that it’s an actual map, but instead it would kind of hook into Chrome, Firefox and all the browser and start harvesting whatever people were typing in and sending the data to a remote server. And that was, again, a very popular thing to distribute because everybody was looking for that life map. And there was up until I think it was mid March, early April when the resources that were accessed in terms of life statistics about Coronavirus were kind of established and everybody knew where they were getting their data from. Up until that point, nobody knew. So whenever people saw Coronavirus lifemap.exe, an application that’s going to show Coronavirus in real time worldwide, it was very appealing. So that’s kind of the way things go, right. With each big event with each thing that kind of draws the attention of people, people will click that stuff.

Andrada: Well, that’s true. And when it comes to securing yourself, or securing your company, the company you work for a lot of people might argue that they don’t have enough money to do this. They don’t have a big budget to make some sort of changes to augment the level of security they have. And I was wondering, what’s your take on this? Do you feel that we need big investments in security or whether there could be small things that we could do to increase the level of protection?

Jay: Well you know, many people say that the infosec industry is pretty much like insurance, right? The more you invest in insurance, then the bigger the way you call it when they pay you back. Something bad happens. But yeah, I mean, infosec is risk management. But here’s some tips and tricks that companies can use to kind of augment their security. First of all, and the most important thing, forget what you know, and it’s weird, I know. Do not believe that you know stuff. Because, trust me, you don’t, you’re going to learn that the hard way. Don’t forget everything that you’ve learned, but doubt everything. First of all, that’s a very important thing. When we kickstarted the Bug Bounty Program, roughly six years ago, we secured everything, we did, like, I don’t know how many pan tests. We hired external companies to do pen tests. We thought that we covered absolutely every corner. And we ended up paying about $40,000 just one guy in the first month, just to one person. Because the creativity of hackers is endless, is infinite, they’re gonna find ways, and you’re gonna say, ‘but that’s not fair, he’s not playing by the rules’, you know, but they don’t play by the rules. And in cybercrime nobody plays by the rules. We wanted to play some boardgames and one of the exercises that I kind of mentioned ‘I’m gonna go to that guy’s laptop when he’s not near the laptop, and I’m gonna backdoor it and then we’re gonna use it to pivot and do some bad stuff’. And then they said, but you know, that’s not according to the rules. So you’re not supposed to be able, I mean, you need to have access to the laptop. But who says I have to play by the rules? So first things first: expect the unexpected, and believe that you do not know everything, and you’re going to learn a lot. Now, second of all, there’s such a thing as a baseline, which is kind of meeting criteria, meeting certifications, if you go to ISO 37 &1, 37001 or SOC 2 Type 2 or SOC 2 Type 1, there’s a number of kind of standard criteria for infosec. Which, if you meet those, you’re in pretty good shape, but they’re difficult to meet. And I guess the easiest thing that you can do is get a few badass hackers, like two or three of them, really badass. And give them, this is gonna sound again, very, very hard to swallow, give them free rein, give them the the freedom to do anything they want with your network. And when I say that, I mean, do not argue with them, do not prosecute them if they find a vulnerability and exploit it. One of the biggest issues in infosec right now, and I’m going to take this opportunity to address it, to talk about it at least, is hackers being prosecuted when they’re being white hats. So hackers being prosecuted when they’re doing responsible disclosure, there’s this awful case in Australia where a guy found some serious issues in a bank, and he very responsibly disclosed the vulnerability to the bank, and then the bank press charges and the guy went to jail. And that’s wrong on so many levels, because discouraging hackers from finding vulnerabilities in your system, doesn’t mean the vulnerabilities are going to disappear. And somebody else that may not be that ethical is going to find them and exploit them. And you’re going to be in serious trouble if somebody that doesn’t tell you about your problems is going to find those problems and exploit them, you’re not going to know about them. And they may be present in your infrastructure for months, if not years. So expose yourself, that’s the first thing that I would say, expose yourselves, encourage people to try and hack you and be thankful if they do, because at least you’re going to learn about that. And you’re going to be able to kind of close those holes and patch those vulnerabilities before somebody with bad intentions will come up and and do something very bad for your infrastructure. So yeah, I guess exposing yourself and allowing people to tell you about vulnerabilities is one of the first steps that you can do, put something on your website that says, you found a security issue with our system, just tell us, nothing’s going to happen to you. This is a very first and basic step that anybody can take, and so few do. And at least you’re going to learn about your progress and you’re going to have an opportunity to fix them, obviously, with sufficient budget. And the second step would be opening up a Bug Bounty Program in which you actually reward people for finding vulnerabilities in your system. But the challenge is a very hard pill to swallow. When I tell somebody you know, would you let somebody hack you? They always go ‘No’. So if I ask the Boston, the MIT University, ‘would you let me hack you’? Well, actually, they would probably say ‘yes’. But the general answer that I get to that question is, ‘What do you mean? No, no, I’m gonna send you to jail. And it’s a bad thing.’ What do you think about this?

Andrada: I was trying to look at this from the Bug Bounty Hunters perspective. And I know that at some point, there was an initiative in Romania, in which the local CERT wanted to be like a midpoint between the Bug Bounty Hunters and the companies. And I was wondering whether this route could could work in a way protect the people who are genuinely nice and trying to help different companies better protect themselves.

Jay: Well, then the CERT would have to do a better job at communicating this.

Andrada: And I’m not sure if it’s still ongoing.

Jay: Because you see, if the Romanian CERT would do this, that’d be great, that’d be awesome. But it’s not in any official communication and the such lists like a friend of mine identify the serious vulnerability in a certain company. And let’s say that for the sake of argument that serious vulnerability enabled an unauthorised potential attacker access to the accounts of all the companies using that, don’t know, that vulnerable company, let’s say it’s a shipping company, right? And then as an attacker, you’d have access to all the accounts and all the banks that use that company to ship credit cards, you’ll have access to all the older online stores, especially in this day and age that shipped all kinds of packages to different people, and you have access to all of that. But you would not be able to share that information. Because under the Romanian law, it would be forbidden for you people know that. And yeah, ideally, the CERT would facilitate that communication, that’d be great. But I don’t know anything about that.

Andrada: One thing I’ve noticed when when it comes to their way of announcing incidents is that more recently, I don’t feel that they shy away from mentioning the names of the companies that are hacked. I’ve recently seen something similar to this where banks have been involved. And I specifically saw the names of those banks, which is nice, because it’s maybe worse as an incentive to help them protect their systems.

Jay: You know, I’m sorry, to contradict you, but I don’t think it does. You know, just shaming companies for getting hacked is one thing. I’m not saying it’s not effective, it may be, but it’s a different story. What I’m talking about is making it a safer haven for hackers to identify and report vulnerabilities, essentially, literally making the world a safer place in the end. But if we’re not allowed to do that, then the vulnerabilities are going to still be there for years up until somebody exploits them in a big way. And then you make the news.

Andrada: But if you buy water from the supermarket, and there is a problem with a specific brand that has contaminated water, as a consumer, would you like to know which brand that is or not?

Jay: What do you think?

Andrada: Well, but it’s the same with banks, maybe because as a consumer, I want to know if my money safe.

Jay: Well, yeah, but I mean, okay. So you as the consumer would want to leave the bank and say, that’s great. Now, what if I told you that I know the bank is not safe? Again, purely hypothetical.

Andrada: Okay.

Jay: So purely hypothetical, I know that the bank is not safe, but under Romanian law, I’m not allowed to know that. Implicitly, I’m not allowed to tell them about it.

Andrada: Okay, that’s strange. Maybe there’s something that could change there, too.

Jay: It should, but it’s difficult because again, if you tell people let me hack you, they’re gonna be like, ‘Oh, no, no’. And I always say the same thing, you know, it’s better me than that guy from that foreign country that may literally try to hack you as we speak. And if you have a hole in your system somewhere, and trust me, you do, then you would rather know about it from me, then hear about it from the press. And this, unfortunately, doesn’t really fly. And ideally, CERT would handle that communication, but they should make it official in public.

Andrada: How are the banking Trojans doing, speaking of banks?

Jay: Well, they’re great.

Andrada: Making money, having fun?

Jay: Yeah, I mean, most recent one leverage is something that, you know, going back to COVID. One of the key effects that COVID had on a lot of people, unfortunately, was kind of getting a lot of people to lose their jobs, right? So it’s, it’s not a fun thing to talk about. It’s definitely one of the very tragic consequences of the whole pandemic. And besides that, it kind of got a lot of people to worry about their jobs. So everybody, I think, in most industries, is very job sensitive right now. I mean, would you agree?

Andrada: Yeah, I do agree that a lot of jobs are at stake right now.

Jay: So with people being just job sensitive, there’s this new actually wave of a banking Trojan, by the way, that is distributed initially via email. So there was an email that says and this is the weird part ‘Mind you if you get this email, it’s probably not safe to open it in which says, customer complaint number 7403 31 against you download the PDF report here and it leads to your termination. And this is the Bitdefender and this is the company’s UK office or the company’s headquarters or a company’s outsource HR department’. And it’s very targeted to the company that the person works at. They’ve done their homework, and they kind of structured the email in such a way that it does make sense to an employee. It’s believable that it comes from an outsourced HR department because many companies outsource HR, especially in termination cases and customer complaints. So it very much looks like that. And when you go, it’s usually towards a Google Drive and a lot of companies use Google infrastructure. And at the end of that Google Drive, you supposedly download a PDF file, which is actually an executable with a PDF icon. It’s either a PDF or a word icon. And that’s a banking stealing Trojan, in most cases, and mind you, by the way, and I have to say this in full responsibility in like 90% of the cases, all the samples that I’ve seen, were zero days, were not affected by absolutely anybody in the cybersecurity industry, if you upload it to virustotal, to get like zero out of 69 solutions detect this. And companies, I have to detection for that. But for whatever reason, that kind of shift a little bit. I think that we catch it on behavioural analysis, but it would have to actually be executed in order for for us to catch it. But at first glance, that sample is not picked up. So it’s highly successful. And it leverages this job security. It’s always anyone that says, ‘there’s a customer complaint against you, this is the termination document, this is the customer complaint, or in some cases, this is your bonus’. Because, yeah, this is your bonus, you done such a great job. And your supervisor recommended you for a bonus, and this is the documents for you to collect your bonus. And he’s very believable.

Andrada: Why do you think is like that? Why do you think that so many of this pieces of software rely on zero days? Because 90% is a lot?

Jay: Well, I mean, if I think about it, it may be that it’s 90% of all the things that actually reached me, a lot more that were blocked at the mail gateway level. But let’s be fair, I mean, there are solutions, no matter how good they are, bypassing antivirus or bypassing security solutions is not impossible. Right? So you have to keep that in mind. It’s always best to have a security solution installed because it’s gonna be able to automatically filter out a lot of the stuff so you don’t have to. And by the way, just personal hygiene on the internet is not sufficient. Because there’s a number of legitimate websites, I’ve got hacked and start delivering malware, for example, many people say, you know, I only visit a few websites and the websites that I know and I trust them. And that may be so but what happens if one of those gets hacked, and there’s countless examples when that happened. Even here in Romania, we’ve had a very popular live.something.ro that was going live like broadcasting of a certain TV station, and that website got hacked. Thankfully, for us, I mean, could have been worse, much like the Coronavirus, they were only doing crypto mining. So that means it wasn’t the website. Once it got hacked, the hackers weren’t delivering any malicious content, per se. I mean, they weren’t delivering ransomware or banking Trojans or stuff like that. They were stealing any kind of credentials. However they were using all the browser that visited that live streaming website that was in the browsers to mine cryptocurrency and make money that way. So do not trust that you have personal hygiene on the internet, do not trust that you have to have a security solution installed that can pick up on these kind of things. But back to the original point, not everything is infallible, and I think nothing is infallible. And every now and then there are samples that are not detected. We add detection for them. We understand how they work. We add machine learning algorithms, models and we detect them in the future. But there are situations when some samples do get through.

Andrada: You’ve just mentioned ransomware a few seconds ago, and I’ve just written a piece about hospitals attacked with ransomware in Romania. And I was wondering, what are you seeing? If you look at the intersection of ransomware and COVID, is there something interesting there happening as we speak?

Jay: Right, right, right. So, so big news in the media: hackers, slow down COVID research, hackers, attack hospitals, and this kind of big letters kind of create this emotion towards COVID and hackers and so on and so forth. Well, as far as I’ve seen, at least, they’re not targeted attacks against hospitals, right? I think that even the bad guys would not compromise hospitals in a time like this, they don’t want that. It’s what I would call from my quake days, splash splash damage, right. So it’s a machine that can get infected with ransomware, probably at some point without the proper security measures is going to get infected by ransomware. They are spreading waves of ransomware and delivery through all kinds of websites, and even jumping from one computer to the other as we’ve had in 2015, with WannaCry. And if you have an unpatched machine on your network, then that machine is going to get infected from the network with a ransomware strand, probably WannaCcry or something like that. And again, it’s not targeted against a specific system, they’re not interested in just hospitals. The way they actually work in this is very interesting. They do distinguish between the type of computer that infected. So if it’s a whole computer, they usually look at the way the directory names look like. So if it’s a brother’s personal computer, they’re gonna ask you for $600 in ransom. But if they see server x, or file server y, or something that looks like a company name, and it’s all automated, then they’re going to add a digit to the ransom if not more. So the ransom are custom made for depending on the type of computer they infect. There’s actually been a case but a hospital was infected with ransomware and I’m hoping this is not an urban legend, when the hackers actually gave the encryption keys to the hospitals so they could decrypt their data for free.

Andrada: Yeah, I heard that too. So let’s hope it’s true.

Jay: I do hope it’s true. I don’t I have no confirmation on whether or not it’s an urban legend, or it is true. I haven’t spoken with the people working at that hospital. So I hope it’s true. But yeah, it’s splash damage, as I was saying, you know, somebody that hospital clicked on some random stuff that was they were not supposed to, that computer got infected. And I saw a screenshot of, I think it was an EKG machine or something like that, an imaging machine, and it was running Windows. And it was on the same network on as the computer of that employee that got infected. And for network segregation, that means that EKG machine was not on a separate network, right? And for security software installed on the machines led to that somebody clicked on some stupid stuff online, that they got infected. And then through the network, they infected any other windows machine that was susceptible to the malware. So it’s just bad security orchestration, if you will, in the hospitals part. And mind you, by the way, I did this talk at IC health a while back with input from a friend of mine that works in a hospital, I will not disclose the name of the hospital. But he told me he sent me this large file like liquor, you know, like I should probably publish that file at some point because I was speaking to him earlier and he said that the issues are still there. He was telling me about Wi-Fi networks in the hospital, they’re very easy to guess passwords, about the security system being on the same network as that Wi-Fi, all the surveillance cameras on the same network, all the printers, all the other equipment on the same network imaging machines with Windows 3.1 I actually said that that’s a good thing. There’s windows 3.1 is way too old for anybody to infect. So you know, keep it like that. He sent me this really huge text file and if you read it, it’s insane. I mean, you know, in Romania we have this saying ‘I would grab my hair’.

Andrada: Do you know, from my conversations with a hospital administrators and managers, do you know what scares them more than having to pay a ransom? Having their salaries published online or their contracts, which is something that ransomware gangs tend to do more and more?

Jay: Do you think?

Andrada: Yeah. Well,

Jay: Are you sure? Because the way I’ve seen it, I mean, ransomware is an automated process.

Andrada: So instead of encrypting files, they threaten different entities of publishing their data.

Jay: Well, yeah, but I don’t want to have them lower their guard on anything. But that doesn’t happen very often. I mean, in cyber crime, nobody spends time to with targeted attacks. It’s all mass market. It’s all about, you know, attempting that millions, if not billions, of people. And it’s literally like in marketing, it’s a funnel, you know, send a blast wave towards a billion people out of that 100 million clicking and then 1 million actually opening the file, and then 100,000 actually getting affected. Or you send that wave that says, I know what you’ve clicked. And I’ve seen you watching porn, because I’ve hacked your camera. And that’s from credential stuffing leaks from from from online databases getting leaked. So you scare somebody into believing that you hacked them, and you have their computer, and you share it, tell them and because ‘I found this is your password’, this is what makes it believable. And I saw that your password is andrada 123?

Andrada: No, it’s not.

Jay: Now you’re gonna have to change it. And all the other passwords that you have, like, ‘I like my glasses 123’ and all that stuff. And I’m going to have to change that as well. And then they find these passwords out of online database leaks. So whatever website you register to, and all of us are registered to at least a few dozen, if one of them gets hacked, and somebody gets access to the password that you had in on that website, and then they’re going to send you an email saying, I know that this is your password, because I hacked your computer, and they’ve watched you online watching porn. And they’ve watched you doing this, and they watched you doing this and that, and watching videos like this and that. And well, funny enough, the the match on their target audience is pretty high. Because I know it’s gonna sound as a shotgun, but some people do watch porn. And some people do watch some really weird stuff online. We don’t judge. But they don’t have a high success rate, because people see that. And I’ve had people coming to me and asking, ‘I’ve got hacked because this guy knows my password and he sent me this and I’ve done all those things.’ This is a true story. Somebody actually came to me and told me these exact words, ‘I got hacked, this is my password and this guy saw me doing all of these things’. And I told him, ‘you know, I don’t judge. It’s okay, you didn’t get hacked, realise you didn’t get that, he got your passport from from a database leak and he just tried his best to guess your tastes’. And he gives them a ballot and they send this email to like billions of people and hope that somebody is going to open them. So I think that if you want to target somebody to get to get to get kind of blackmail them by saying you’re going to release their documents, I’m going to respectfully say that those are isolated cases and they don’t happen that often. The most blackmail cases are, and by the way, this is something that people should be aware of: somebody seduces you online. Literally, they start having a conversation and they get into actual, you know, nudity with their victim. And then they blackmail them because they record the whole session. This does happen and again, I know people who are subject to this, they asked for about $8,000 in blackmail, otherwise they would release the video they get the LinkedIn contacts, the Facebook contacts of that person of the victim. And then they threaten, okay, ‘I’m going to send this to your mother to your brother to your wife, or husband, to your coworkers’. And they threaten to send that video to the coworkers. And it’s an actual thing. And it does happen a lot. So if you guys or girls, talk to somebody online, get to know them a lot, and don’t send nudes on the first day. Because they’re not bothered spending time with you more than one night, by the way, because for them, it’s an investment, that time invested with one victim for them, if they have to make money out of that, otherwise, they’re going to move to the next victim. That’s how they make money, it’s like a job for them. So send nudes on the third day.

Andrada: We should write that down. I was wondering, you say that there are very few targeted attacks?

Jay: Well, yeah, because targeted attacks take effort.

Andrada: But have you seen something really interesting lately?

Jay: Well, yeah, I don’t know if the paper is out yet, but we have seen, for example, a government institution in a certain country being attacked, and not knowing about it. Having their infrastructure compromised, the domain controllers compromised, and they had no clue that is happening. And the actor wants the investigation finishes and we can confirm it was another state or another country. So I cannot share more than that, unfortunately.

Andrada: We often talk in cybersecurity about nation states attacking each other, but we don’t talk much about companies attacking each other. Is this also happening? And to what extent?

Jay: I don’t think it happens. Like anything in the world, if it can happen, it will happen, right? There is this law, if you have to remember something, if something can happen, it will happen. But when we’re talking about big companies, the fight between them is usually in the in the commercial side, in the commercial sector. Us, the labs, we are friends with each other. We even share threat intelligence with the labs from other companies. So the fight is mostly done in the commercial space, arguably, there’s a competition in which you know, who has the better technology, and who can catch the most threats and all that stuff. But as labs go, the devs, and the red teams and everything, we share stuff with each other, the infosec community is one of the greatest communities in the world. And there’s a lot of sharing, I think it’s also because of the accountability/responsibility that’s on our shoulders. Because, and I go back to the part about knowing the vulnerabilities, there’s this saying in New York, if you see something, say something. And in infosec, if I see that, there’s the potential for something to get compromised. That could be literal, I don’t want to be dramatic here, but there could be literal lives at risk. If you don’t say something, and that hole doesn’t get patched. We held off, for example, the publication of one of our research papers for a year and a half, to allow the company to fully patch their entire infrastructure and all of their products. Because if we would have published before they patched, then a lot of bad things would have happened based on our research. And we didn’t want that accountability. I think that the infosec community is one of the greatest communities in the world, simply because we aim to share for us, responsible disclosure is one of the most important things, and we genuinely believe that it makes the world a safer place, the whole world.

Andrada: Speaking of which, you mentioned the fact that you started working in cybersecurity in 1998, if I remember correctly, and I guess a lot of people ask you how things have changed since 1998. So I would like to ask you, what are some of the things that haven’t changed?

Jay: So one thing that hasn’t changed is the thing that got me into cybersecurity and that’s RATs. I am not talking about, big teeth, the plague and long tails. I’m talking about what we currently call ‘remote access tools’. We used to call them backdoors. I don’t know why we don’t do that anymore. But yeah, the moment I got into into infosec was a friend of mine called me on my landline. Some of you don’t know, landlines are these phones that you have and are always connected to a wire, and they uses pulses to tell the operator what number they’re trying to dial. So this guy called me and said, Jay, I just discovered this programme that allows you to control another person’s computer, all you have to do is just send it if the executed, you have full control over that computer and it can do anything you want. And I was fascinated by that. And the programme was Sub7, and back then there were three huge backdoors Sub7, Back Orifice and Net Pass back in 1998. So this is one thing that hasn’t changed. Right now we call them remote access tools and they provide hackers, they connect to a command and control server, which enables hackers to remotely control hundreds of thousands of computers enrolled in what we call a botnet. Back then you only had one computer that was the C two, which was my computer, and the victim and the client. After that, I actually did a talk once on the history of cybersecurity. One of the things that was pivotal infosec, it was the year 2001, I think, maybe 2002, when some guy, I think Romanian, started to automate all the hacking tools and all the hacking on all the vulnerabilities that were discovered, he started to automate them to have the entire world. Let’s say that was a vulnerability in the Apache web, which is a very popular server that saves web content. And we knew about it, and we weren’t using it for bad, we would test one another’s systems to see if they were vulnerable. Actually, another popular one was the first Samba exploit, is like the file sharing service. And I remember myself getting hacked by a friend, he told me not to patch that machine and then I patched it, of course. We would only do this to each other. Now this guy used that exploit and said, ‘I want to try the entire internet’. And thus, well, not the first one, because the first one was the Morris Worm, but the first actually meaningful, dangerous, causing chaos across the internet working to be and that guy would remember that the time script kiddies started being so many, especially in Romania, they will do scan a whole range of IP addresses, they had no idea what they were doing, absolutely not. They would just run a programme that would hack like thousands of computers on the internet, and they would have no idea what they’re doing. But the flip side of that was that from that moment onwards, companies started paying more attention to cybersecurity. And we had a harder time doing pen testing, we had a harder time, because usually they wouldn’t know about it, and we would be like, ‘okay, that’s that vulnerability and that vulnerability’, easy money, we would hack very easily into their systems, if we wanted, completely legal, they would ask us to. And then once somebody started hacking the whole world, whenever a new vulnerability surface, whenever a new exploit was public, he would use that or they would use that to have the whole world and those programmes were distributed to everybody. In an internet cafe in Romania, you would see people scanning the internet for different types of vulnerabilities, again, without having any idea what they were doing. And hacking like thousands of machines, so that make the world a safer place, in a sense. So that was a turning point, in my opinion. And that was one of the moments when the world woke up and said ‘you know, we have to take the cybersecurity thing more seriously’.

Andrada: And there was another inflection point around that time when people started to write malware, not just for fun, but also for profit. When do you think that this inflection point was?

Jay: Let me get back to you with another question. What was the moment ransomware became successful?

Andrada: The Bitcoin?

Jay: Yes, yes. So the first ransomware attempt was in 1986, I think, when a guy in the US encrypted another guy’s files, and said, ‘I’m going to decrypt them if you pay me money.’ However, there was no anonymity involved, and there was literal money involved. So the guy showed up with $200 and the police. So that was like the first ransomware attempt. And the thing that kind of changed the whole game was Bitcoin, because Bitcoin enabled hackers to receive payments, while remaining under the cover of anonymity. And I guess that cybercrime took a turn towards financial with the first fraud attempts. I know, we don’t like to call them hacking, they’re not hacking, but they are related to cybercrime when people sold the cathedral in Alexandria, and some guy sold a jet engine. And well, obviously, they didn’t sell anything, but they did collect the money for them. So online fraud was very popular and then phishing, it was definitely before ransomware. And the shift towards making money out of viruses, I think it was the 2004, right after the Conficker virus. So Conficker was probably the first again dangerous worm that would self propagate using the file and print sharing the exploit much like WannaCry, is in eternal blue. And then after that, the first password stealers started to pop up. So they would crawl the database, the password database from Chrome, it was a small SQL lite, which is a small database file, non encrypted, completely accessible by anybody on your computer. And those password stealers would kind of look for that file. And then Steam came up, and they would look for Steam accounts and then they would look for Skype conversations, that was another one, and then ransomware. I think 2005-2006 was the beginning of making money out of malware. But at the same time was the beginning of making money out of fishing accounts, there was thought start selling credit cards. So when somebody steals your credit card, they’re not going to use it. Well, in most cases, they’re going to sell it. So we’re going to make a collection. And then on the deep web, you can find collection of 40,000 credit cards, $39, it’s that cheap.

Andrada: Yeah, even RATs are cheap, you can buy one for a few.

Jay: Another way they’re making money is by not hacking, but by renting services. So if you’re not a hacker, and you want to make money from cybercrime, you can rent a malicious ransomware or a malicious RAT. So you can rent them, you can rent a custom version of them, you can rent the delivery method. And you’re going to invest about $15,000 probably for delivering ransomware strands to about a few hundred, thousand victims, potential victims and the collection platform so you can invest that money if you’re willing to do something illegal. And usually there’s a good return on that investment. Not that I would suggest you do it because it is illegal and you will go to jail because people like me and my colleagues will catch you. We have a roughly 100% success rate on catching bad guys. Yeah, you don’t want to do that. But what what they’re doing, for example, in the case of DDoS attacks. DDoS attacks are when they cut off a service when they’re shutting down like they’ve done in 2016, they shut down Netflix, they’ve shut down Twitter and they’ve shut down a number of services. So that’s a denial of service attack. The denial of service attack is a distributed denial of service attack in which they use 10,000, 100,000, many hundreds of thousands of zombies hack computer to attack a specific target. So they had, let’s say, 500,000 devices. And it’s not just computers anymore, right? It’s also IoT. It’s also cameras, baby monitors, routers, printers, smart fridges, you know, that urban legend about 200,000 smart fridges that were sending spam. Okay, so they would have like, this vast array of devices, cameras, computers and then they would rent you a chunk of that. So you would pay $15 for 5000 hacked computers, or hacked two devices to attach a website for 15 minutes. So you would say, Okay, I want a chunk of 5000 devices for 15 minutes, how much? And it would be, let’s say, $15. Okay, pay $15. And then those 5000 devices would hit your target with everything they’ve got. And picture it, everybody has at least 100 megabits at home. So multiply 5000 by 100 megabits on average. And you get how big that attack is going to be and it’s only $15. The are renting the services.

Andrada: It’s quite affordable. As we spend a lot of time inside, this year, and we had some time to contemplate about the whole philosophy that surrounds the field of security and privacy. And I was wondering if your philosophical thoughts have changed over this months?

Jay: No.

Andrada: Not at all?

Jay: I’ve always had some kind of unpopular opinions when it comes to privacy, which sometimes contradicted what was very popular in the media. I don’t see Facebook is evil. I don’t see Google is evil. I know what they’re doing. And I still don’t see them as evil corporations. Not to say that they’re good. But when it comes to privacy, I think that the most important part is not to deny Google or deny Facebook or turn off our computers and move into the mountains, which is kind of what the tendency is when people are hyped about the whole privacy bit. Again, as I was saying, but remember that you don’t know everything, I see people with the nice sticker on the video cameras. And there’s people that genuinely believe that the sticker on the video camera is helpful for the privacy. Much like there’s people that believe that the earth is flat. And that, you know, vaccines cause autism, they’re all wrong. The earth is not flat, vaccines do not cause autism and the sticker on your video camera is useless. And you know why? Because literally all the attacks that target the video camera involves social engineering, are those blackmail attacks in which somebody tries to get you to undress and you’re going to take the sticker off yourself. There’s literally no other attack that targets the camera to take picture. There are attacks that harvest information for blackmail, targeted attacks. They target the microphone, not the video camera, because I’m getting the audio is much more interesting than seeing pictures of me in my briefs.

Andrada: Yeah, nobody cares about those anyway. We have space for just one last question. And I was wondering since the pandemic it will still continue in the next months. Maybe if you could tell us what your favourite hacker movies is? Whether it’s something we should all watch right now?

Jay: So absolutely hands down my old time favourite hacker movie is ‘Hackers 2 – Operation Takedown’. The story of Kevin Mitnick being chased by Satoshi Nakamoto. And related movie is ‘The Pirates of Silicon Valley’. If you want to see a movie about Bill Gates and Steve Jobs, it’s not ‘Jobs’ and it’s not from Hollywood. It’s the ‘Pirates of Silicon Valley’. That’s the movie to see if you want to see the history of Apple and Microsoft. So yeah, ‘Hackers 2 – Operation Takedown’ and ‘The Pirates of Silicon Valley’.

Andrada: And they would also recommend ‘Tehran’, which is an interesting movie about the diplomatic as well as cyber relations of Israel and Iran. And since is not an American movie, it’s done differently. Which is something that we should also have in mind, because we’ve seen maybe too many American movies lately, due to Netflix and other platforms. So thank you again, Jay, for being here today. I hope it was fun for you and for everyone. And I’m sure that How to Web will continue this series of interviews with people who helped shape the tech sector in Romania, but also in Eastern Europe. Thank you.

Jay: It was great to be here. And thank you for having me.