Transatlantic Cable podcast, episode 99

July 2, 2019
Dave and Jeff discuss the latest trend in US cities paying the ransom, hacking the smart home, Cirque du Soleil app issues and more.

The 99th edition of the Kaspersky Transatlantic Cable podcast comes to you straight from the Motherland — er, Fatherland, as my colleagues have corrected me. Dave and I, reporting together from Russia, take a look at a handful of stories that will pique your interest and that you may have missed during your busy week.

To kick things off, we start in the good ol’ USA, where a second Florida city has paid for a ransomware attack. This trend of cities paying the crooks is worrying. From there, we head to a different kind of circus and and its app’s lack of a security protocol. The third story follows up on a security breach at the US border. Then, we look at the world of fake Instagram verification before closing out with a tale of how our boss’s smart home was hacked.

If you enjoy the podcast, consider subscribing and sharing with your friends who need more regular updates on security. For the full text of the stories, please visit the links below:

Jeff: David, seems like the story that we’re gonna kick off with this week, we just talked about last week because it’s kind of becoming a little bit of an endemic in the US where a second city in Florida was hit with ransomware.

Dave: Yeah, you guys don’t seem to catch a break at the moment, do you. We ran the story, which was last week, I think, where there was again in Florida, a city got hit by ransomware I think about 60 Bitcoins.

Jeff: Yeah. And this one, they paid 42 which is almost 500,000 US dollars. 460 at the time of the Threatpost’s post that Lindsey wrote. What I think is the scary part about this is that this is like this has been a year where municipalities in the US have been under attacks. We have seen Baltimore, two in Florida, and the worst part about it everybody keeps paying.

Dave: Yeah, I mean, this is the second payout. What I’m surprised by is the fact that both of these payouts the majority of the payment was made by the insurance companies. And I think on this story saying that I think everything bar 10,000 US dollars is going to be covered by the insurance money. But the other 10,000 US dollars is gonna have to be paid by the taxpayers. I am surprised because we’ve had the story from the FBI it all the time, the GC HQ, and pretty much every IT security team will tell you never pay ransomware because it only enables attackers to carry on doing what they’re doing. But yeah, this is the second story that we’ve seen where this year so far. Yeah, where people are paid cities are paid the ransomware and you know, these like, hackers in hoodies somewhere probably going great, you know, we’re going to make lots of money off this. And they will see stories like this and they’ll go —

Jeff: I’m about to get paid, son.

Dave: Yeah, yeah. So I think I think we’re in kind of dangerous territory here, where hackers are seeing that these campaigns work. So that’s obviously only going to going to incentivize them further to carry on doing what they’re doing.

Jeff: I think this tweet from Eugene is probably the best thing that I saw to summarize this as we get out of these stories before we talked about them for hours: May 7, Baltimore, 18 million; June 20, Riviera Beach, 600,000; June 26, Lake City 500,000. Also Atlanta, Jackson County, Albany, and many more city administrations fell victim to ransomware attacks and sometimes paid a ransom, very disturbing trend. I think it’s you know, that’s like a good tweet. Getting on there where it does talk about what’s going on. Now, this one, we’re going to go a little bit different kind of circus, not the government this time. You know, we all we all love our government circuses, but this story talks about the TORUK app. I feel, we’re in Russia, that kind of sounds Russian that was made by you know, made for a Cirque du Soleil for one of their latest show for the TORUK show. That just sounds so awesome.

Dave: I just I just think the old Nintendo 64 game. Yes. Yeah, this probably got nothing to do with that.

Jeff: And yeah, it’s not like people dancing up doing stuff like acrobatics. Maybe it’s on my Raspberry Pi, we should check that. So, this story is really interesting because the app was supposed to, like, enhance user experience with the show. But, did it really?

Dave: Yeah, there was multiple security flaws. So reading this story we talking about, there’s a list of problems with it. But you know, there’s no authentication protocols in place. So it is totally open to anyone who wants to look into it. But there’s, there’s also a bunch of other things, which basically gave anyone who downloaded the admin rights to everybody else. So there was a whole weird thing where you could you could change volume and things like that on other people’s devices. It is so weird. It sounds to me like it was built in a hurry to just push this thing out. Obviously, as tends to be the case with a lot of these things. Security is the last thing on people’s minds. They just want to bash the thing out.

Jeff: You just want to just want to have a good show. Whatever happens is watching one of these events, people got to be up on their phones.

Dave: This is my question. Why? I don’t know. I’ve never been to Cirque du Soleil. I was trying to figure out say before, I’ve never been seen them before. So I don’t know what I think. I think they say that the app is there to enhance user experience in the show.

Jeff: Yeah. I don’t know what I mean. I guess we’re just all, dude. But like, I kind of think about like, I’m at a movie. I’m on my phone. I hate when people are on their phones at movies.

Dave: Yeah, yeah, same. And this this is actually legitimize, they want you to actually get out and use your friends. Probably like one of those voting shows.

Jeff: Who knows. But the app? Yeah, it’s it seems like it was just more of like, not a giant security issue, just something that somebody could really wreak havoc on other people at the show.

Dave: Yeah, yeah, it was. The amount of damage it causes is minimal. But it I think it just outlines the fact that a lot of a lot of these apps are often kind of scrambling, designed and rushed through the door is probably a third-party developer was just given a rough outline.

Jeff: Security, baby. And I guarantee you if there was ever an incident with the app, the first line of their press release would be “We take security very seriously.”

Dave: Yeah, that’s copy paste from everyone else.

Jeff: Yeah, not that we seen that before. So the next one is another follow up story. But now we’re not talking about hacking this time. Not hacking governments are well, kind of, Yeah, this is it. This story follows up on the US border patrol area where at Customs and Immigration there was a breach it you know, from a third party to my government, and now 400 gigs of the hacked files are available on the Web to download by anyone.

Dave: This story I think we spoke about it last week or two weeks ago, I think 97 or 90, something like that. Yeah. And it came to light that there was a lot of data that got pinched basically by hackers who broke into the system so contractor and downloaded this data at the time. I don’t think we knew how big the —

Jeff: Nobody knew what was exactly in there. But I guess now you can if you really want to search for —

Dave: — the thing that gets me is the fact that the guys who downloaded all this data, were pretty ruthless in what they took because it reading the story they were saying that they were they weren’t picky about what they choose. And this is quite enough of a site as they were even mp3 files scooped up from Superstition by Stevie Wonder to Wannabe, but it’s a variety of AC DC and Cat Stevens songs.

Jeff: This is one person’s computer like I would love to see the playlist or what they’re smoking during the day.

Dave: Yes. You’ve got Stevie Wonder Spice Girls, and AC DC and Cat Stevens. I mean, that’s a —

Jeff: — from Cat’s in the Cradle to if you want to be my lover, you gotta get with my friends. But I think this is really interesting, including the journalist who puts this out. And then what they got on to the files that are making these files available for public review, because they provide us an unprecedented, intimate look at the mass surveillance of legal travel as well as more local surveillance of turnpike and secure facilities. Now, I think is really interesting here is this is supposedly an area where it’s supposed to be really secure, because you’re coming into a country.

Dave: Yeah. But it also goes to show — and what Cluley refers to — is the fact that you can have all the best security protocols in place, you can have everything locked down to two factor authentication, your endpoints secure is anything. But if you’ve got a subcontractor with lacks security, would you have no control over as a business, then working with your data — how do you control that? You don’t know.

Jeff: And I think this one is even worse, because there’s other accusations that potentially happened with what they’re doing with the photos into their matching when they weren’t supposed to. And to be honest, this stuff is sketchy. And you know, I thought we were all about making America great. Again, this is definitely not up in the making it great again.

Dave: But I mean, we need to jump over to the next story. But the story just goes on to say that this the subcontractors was for some reason, which hasn’t been answered, but they take security very seriously. Yeah, for some reason, which hasn’t been answered, they were basically duplicating the data the border patrol agency were producing so why they would copy in that data is another question.

Jeff: If only this were Europe, this would be super illegal.

Dave: Super, super illegal. Yeah. But again, I think it just boils down to the fact that, you know, making sure you subcontractors and the people you work with know security is a top priority. And your company is one of those things that is easy to overlook. Especially if you’re trying to make sure that things are budget friendly. But at the same time, what happens if something like this happens?

Jeff: Yeah, that’s the question. And I think I think we’re going to see what really comes to this stuff. And, you know, keeping on the photos area. Sorry, guys, I know you wanted more Spice Girls up in here. If you really want that I’m sure you could probably find Spiceworld for free on Netflix. … So, next story talks about, you know, it’s a really interesting, talk about how everybody wants to be verified. Influencers are everything nowadays, and everybody wants to be the next hotness on the Instagrams. And everybody wants that nice little blue checkmark.

Dave: Yeah, yeah, this is from a security blog. And it’s talking about fake Instagram verifications. Now he goes into talk about the fact that there’s a lot of phishing — the storys basically talking about how there’s a lot of phishing sites out there being sent over e-mail. And people, as you quite rightly say it desperate to get that little blue tick. But I think he kind of goes to a wider thing, doesn’t it? You know, how we’re all desperate to kind of be — everybody wants verification?

Jeff: But then when you look at this, like the part that it talks about is, if you’re really desperate to get one of these check marks, typically, what you need to know is they’re usually reserved for people who advertise with the networks. So in some ways, it is a pay to play system, or you’re somebody that has fake accounts on them. And then he had to go through some system where Instagram’s gotta really think that your poop don’t stink. We’re thinking you give a lot of value to the network. Now, then, when you look at this, it talks about the fishing campaigns and about how people are so blind and desperate to get one of these blue checkmarks that they’re not realizing that they’re giving their information to somebody else. And then you want to put one of these data breaches. Because you gave it to the hacker.

Dave: The thing is, as well, there’s some pretty easy things you can do here, obviously, the check to make sure it’s Instagram, the site that you’re on is instagram.com.

Jeff: These guys look pretty good, though.

Dave: Yeah. But if you look, the URL is Instagram for business dot info. So these are the simple things, which I’m sure we talked about them every week, Jeff, you know, making sure that people do these simple procedures. But it’s just one of those things that people just keep pulling up.

Jeff: Whoa, look, I tried open up that website and: “Deceptive site ahead.” There. That’s some Chrome and Kaspersky protection right there. Speaking of protection, and now with IoT, everybody’s getting connected areas. I’ve got one, you know, I’ve got the home security system that’s connected the IoT from Google. But in this story, it talks about our department had Denis Zenkin, who recently installed this cool home center. It’s actually really sweet. Like he showed it to me one night while we were, we were at a restaurant in Boston, and he was messing with his family in Russia. So here he’s across the world, messing with them by hitting buttons on the phone, like turning lights on and off. So, the story is, Dennis talks to Vladimir Dashchenko of our ICS CERT team and seeing like, you know, these guys are like their job is to find vulnerability in ICS devices, and ones that are typically connected. So the guys, of course, like any people who like to poke around decided to get on Denis’s home network.

Dave: The hub is pretty new as well. Yeah, there’s not been a huge amount of time. So this is pretty cutting-edge research.

Jeff: Yeah. And what I like about this one, too, is it’s talking about how they look at the attack surface and how they did find the vulnerability within the software. But here’s the part that I liked about it, the company work to a fix on this. And you know, because our guys disclosed it ethically that we were, you know, that it was able to get fixed. And I think that’s something that’s really cool. I remember when this whole experiment was going on, I was talking to Dennis about how things were going. And he thought it was pretty creepy when the company even called him when he had an update he needed. So I think looking at this, it’s a really cool story to read. I know we’re short on time now. But I think this is something that should definitely check out especially if you’re going to get a connected home because it shows that even somebody who works at a security company has been here for years, high up in the company, lives, breathes security can have a device in the home that can be vulnerable.

Dave: It doesn’t have to be these home hubs as well. I mean, these home hubs basically control all the smart IoT devices are in your home. So you connect your lights and your radiators and whatever doesn’t have to be things like that. I mean, I know the Hive box, which I have at home.

Jeff: That sounds like a disease

Dave: It’s like Nest, but it’s just for central heating. And like I can tell him, yes go my house.

Jeff: I think even like reading a story like here and it’s like, here’s the hypothetical of what happens if your smartphone gets hacked, they can control the temperature in a house turn on a sauna play loud music. Yeah, mess with the lights with people. So it definitely has stuff where it’s got a stranger things type element to it. So I definitely worth checking out the post and checking out the video attached to it. So guys, there you have it. This week’s edition of the Kaspersky Transatlantic Cable podcast is come to an end. We hope you liked what you heard. If you did, please subscribe, give us a good rating on your favorite podcast app and share us with your friends. Sharing is caring, everybody. So with that said, dosvidanya and we will see you next week.

Dave: Bye-bye.

[Automated transcription lightly edited.]