Transatlantic Cable podcast, episode 94

May 31, 2019

Welcome to the 94th edition of the Kaspersky Lab Transatlantic Cable podcast. In this edition, we jump around a bit between cybercrime, privacy, and a little bit of Terminator 2 action.

To kick things off, we head down to Charm City. As you may have heard, Baltimore is dealing with a pretty serious ransomware attack that is crippling the city — not to mention the inevitable finger-pointing. From there, we head to the IoT and privacy front. With its new patent, Amazon wants to listen to everything you say. The company says it’s an effort to improve the experience for users.

We then move along to an events company data breach that affected more than 200,000 users. Afterward, we look at seven recent law-enforcement-agency wins in the fight against cybercrime. To close things out, we look at a new innovation from Chinese inventors that may make you think of Terminator 2.

If you enjoy the podcast, consider subscribing and sharing with your friends who need more regular updates on security. For the full text of the stories, please visit the links below:

Jeff: All right, so to kick things off, Dave, this week we’re going to come to one city that I’m very fond of: Baltimore, Maryland. But unlike it being, you know, crab cakes, football, or living by the water, unfortunately, this one’s going to talk about how the city has been held ransom by ransomware.

Dave: Yeah, this one, It’s been going on for a while. It’s not like it happened two days ago or anything like that. It first hit Maryland city servers were first hit on the seventh of May with the ransomware Robbinhood. “Robin Hood, Robin Hood.” Sorry, that’s a really old song.

Jeff: That’s a very British thing of you. You want to rob the rich to give to the poor.

Dave: Yeah, the demand is 100,000 pounds — sorry, $100,000, £79,000 worth of bitcoins. The usual. You know, “We’ve hacked your servers, give us some bitcoins.” You know, hats off to the city for refusing to pay. But it’s got them into a lot of problems. There’s a lot of stories come off the back of this. And kind of picking it apart is quite interesting, isn’t it?

Jeff: Yeah. I think for this podcast, we don’t really need to go into the whole back and forth between the infosec … measuring contest, if you will, of things of people trying to say what’s right, what’s wrong, you know, whose story’s right, which agencies responsible for this, who should be held accountable. I think the focus point of this right now is really the awareness level of this because Baltimore is a big city in the US. And one of the things that really stands out, this is the second ransomware attack in the past two years to the city. But what this one highlights, is just what’s next for things going out. And I think the story here is talking more about how Baltimore had outdated infrastructure when it comes to IT. You know, unpatched areas, and certain things just were ripe for something like this to happen. And now they’re talking to you know, they’re trying to get the government to list it as a disaster for relief funds.

Dave: There’s a lot to unpack here. I think, first off, you know, we were looking at, and I’m reading this sounds exactly the same as a lot of UK councils in the fact that, you know, they’re underfunded. And there’s a lot of legacy IT infrastructure in place, which is never updated. You know, they’re running stuff, which could be 15–20 years old, and it’s not been updated or patched in that period of time. And that’s not to say that this is just Baltimore’s problem. This is this is kind of endemic everywhere. We see it all over the place. But, you know, I don’t think it’s something that can be solved quite quickly. But I do think that there are a lot of problems with governments and councils across the country. Across the world, I suppose. And I think it does go to show that even though, you know, ransomware, people often dismiss it as being something that happened in 2017, and doesn’t happen anymore. It does still affect a lot of big systems out there that people don’t really pay attention to.

Jeff: I think that’s the big issue with things. And I think when you start to look at this, there’s a lot of computers still vulnerable to the alleged bug that this was launched with — which, you know, a lot of the stories now are talking about it being exploited, whether it’s EternalBlue or something different. It’s something where you’re starting to look at this and saying, okay, there’s been a patch for this. But now looking even in the article, you know, we’re talking about a million computers that are still online with this vulnerability. And that’s this is not to mention the number that aren’t technically connected to the Internet.

Dave: Yeah, airgapped systems and things like that, which may not show upon on the search engines. But yeah, you know, these things.

Jeff: And I think one of the things that really stands out to here, because I think this is going to become something that we see more of like you said, Dave, and one of the things that the story talks about is you know, that the city’s budget was $65 million for citywide information technology operations, which is 2.5% of the budget. But that’s less than half of the average for US-based cities. So I think when you start looking at this, this is one of those things where money becomes an issue; you’re going to start seeing this with older outdated systems, whether it’s in a city, whether it’s in a government or something like that, and it’s really not going to be pretty, because you start to see this and you start to have people’s lives being impacted by it.

Dave: Yeah, yeah. I think the story goes on to say that sales of homes were delayed because of something to do with insurance documents being delayed due to the ransomware, and a bunch of other things like people paying water bills, property taxes, and parking tickets, and stuff like that. All were down, so people couldn’t get to the services to pay them. Thankfully, the government, the council said that they will not be charged extra for that.

Jeff: I think the problem here is that we’re starting to see something where Internet becomes a necessity of life. It’s not just, you know, water and electricity and sewage, that’s seen as a necessity of life and in the US and the UK, but now you’re starting to look at something where you need access to the Internet, because everything’s paid online. Yeah. And now, when something like this happens, you know, people are up a certain creek without a paddle.

Dave: Yeah, definitely. Yeah, you’re right. Everything’s online these days. And even if you ring up a call center, they need to be online to check details and things like that.

Jeff: Everything’s tied together, so this, this is like one of those impacts that, you know, could become a bigger issue. And I know this is something that’s being investigated by the Secret Service and the FBI now, in the States. But I think, in general, another thing that’s interesting about this is you’re starting to see politics at work too, here. So outside of the infosec politicking about who’s right, who’s wrong in the story, what are the factual errors? What are the alleged errors, and it comes to sources named and unnamed and you know, that’s called? It’s called: just figure it out, its journalism, you could read here what you want and figure that part out. But there’s a lot of common threads, and if you really want to get into it, just kind of look on Twitter, and you’ll see the things based on the story. I think what’s interesting here is you start to see people passing the buck, and you’ve got people within the government of Baltimore that are pointing fingers at the NSA and saying, you guys should have kept this tool and exploit, you know, been able to protect these and not lose them in the Shadow brokers thing, which I think is a big thing you’re seeing a lot of the wonks talking about now. But outside of the Internet people with pitchforks, when you start having government people targeting other parts of the government, you know, a state versus federal in the US, it becomes a messy area where now you start to have people pointing fingers and something that’s not as cut and dry as something of, “Hey, you just stole this loaf of bread from the store? I’m going to take you to jail for a little bit.”

Dave: Yeah. If only if only issues like this were that simple, we probably wouldn’t have a job, right? You know, the …

Jeff: David, David, David, stop that. I like working.

Dave: Yeah, you know what I’m saying, though. If the world was just that simple and easy, and like you say cut and dry, things would be a lot easier and simple, but certainly they’re not. A lot of these issues are usually a lot more complicated than they are. But anyway, I digress.

Jeff: But I think with that, I think with that when you close in a very good spot, though, I think when we look at this story, we went through an area where everything is cut and dry, black and white. You know, I think we went into an area where we do live in a global society now. And everything crosses borders, even though we live in our own fiefdoms or countries, if you look at it, and the Internet and everything tied to the Internet lives in different shades of grey, and now we’re not talking that book that I know you read whatever you’re on a plane to try and make people uncomfortable, but in all honesty, I really think this is what it comes to because now when you start seeing people point fingers, the Shadow Brokers issue with everything was a lot bigger than just a simple somebody stealing from somebody else, because of the wide-ranging implications of it. So I think the big thing here is if you’re a government agency, or you’re somebody who’s still running at home or somewhere else a really old and outdated computer, please update your stuff. Please, please, please. And if you’re working on a company thing, make sure the patch is stable, and then then roll it out to your people.

Dave: Yeah, yeah. Anyway, we have a few other stories, because we could talk about that one all day long. This next story is quite an interesting one. I find it quite interesting. The story’s from Gizmodo and talks about how Amazon has patented an update for its Alexa device that records every word you speak.

Jeff: Now, that’s a feature,

Dave: Take that title with a pinch of salt because you gotta dig into the details a little bit, but basically what it’s saying —

Jeff: I’d rather not dig into the details.

Dave: — Well, I’m going to go in there. I’m diving in. So basically what he’s saying is and it’s just a patent, so you know, you have to take it a huge pinch of salt. So he’s basically saying that the way that Alexa works at the moment is a little bit … I wouldn’t say crude, but you have to do a kind of formal step, as in you have to use a wake word called Alexa or I think you can change it to say Computer these days, which is very Star Trek-y. You have to put that start, and then it records whatever you say. Amazon’s idea with this is that it would listen for the wake word still, but record like, 5–10 seconds before you said anything. So essentially, yeah, it’s recording all the time —

Jeff: It knows your safe word before you have to yell it out.

Dave: — Exactly. And that’s how it will work, basically. A lot of a lot of people have complained this is sort of dystopian,

Jeff: You know what? I think the people complaining or the people that are in the privacy. The general users who have are like yeah, hey, I can [inaudible]. But to me, this is just big Bezos. Forget about Big Brother; Big Bezosbe listening, and business be booming for him. I think when we look at this, to be honest, this is a natural progression. I think, you know, when people complain about Amazon’s employees listening to stuff that’s on Alexa, it’s like, Really? You’re really thinking that’s not going to be a problem? You really don’t think that they’re going to listen to it? You’re just talking to a machine that’s helping them sell stuff. So when this comes to light, the thing to me is, again, we’re looking at convenience over security and privacy. Because it is super hard to pick up your phone or roll out your computer to order a new book, to order a refill a toilet paper, to refill toothpaste, to get some stupid thing that you drunkenly order to Amazon delivered to? Like, there was that study of a drunken Amazon? What’s going to happen with Alexa? Man? I can’t wait for the AI stories of like, some sloppy talk back and forth.

Dave: Yeah, I mean, you hit the nail on the head, these sorts of things. And I suppose we can we can say this because we’re grumpy old man. And we don’t have them. But these this is sort of technology, for the sake of technology in the sense that do you really need it? Can’t we just go on Google? And maybe we, you know, sound a bit old-fashioned, but that’s the way world is turning.

Jeff: I think this is stupid. To be honest, I think we’re looking at this, like, Why do you have this in your home? What do you need it for? Like I see my kids playing with my mother’s more there. And I want to shoot it. I want to go buy a gun and shoot the hell out of it. Because it is so annoying and so disruptive, of just being able to be controlled by a by a 5-year-old and an 8-year-old. So to me, I just think there’s no use for it, like I see that it can help things and it can make certain things easier for people. But do we really need that level of automation? Before we get any of that Jetson-type stuff in the houses, I want a flying car or a robot or that damn machine that you would just pick. When Elroy hit a button, he would get like mac and cheese and then they go over there and hit something else, and all of a sudden you get a hamburger. I want that before I want something talking to me in my house. Because I’ve seen what HAL can do to people.

Dave: You basically want a flying cars instead of an Amazon Alexa, which, you know, I think I can I can go with.

Jeff: Elon Musk, get up on that.

Dave: Yeah, and I mean, just dropping back into the story briefly, as Amazon were contacted about it, and they quite rightly said that, you know, it’s just patent. A lot of these companies create patents, and then you —

Jeff: — [sings] and you said he’s just a friend. Oh, baby. You got what I need.

Dave: Beautiful. Yeah, it’s just a patent. It’s not necessarily going to turn into a feature. Yes, exactly. For now.

Jeff: Just like just like, just like Facebook wasn’t gonna use facial recognition, huh?

Dave: Yeah. Where did that end up? Anyway, shall we jump over the next one?

Jeff: Yeah, this is this one’s interesting. I think this one’s more of an FYI to those who use it. 200,000 personal records were exposed by Amazingco, an event-planning app. Now, why I think this is interesting is while it does hit mostly Australia, New Zealand, and the US is that this leaked records tied to children’s entertainment, among other types of tours. So it’s kind of like now you’ve got data that can be used in a not-so-good way out there.

Dave: Yeah. I mean, this is another data breach story. And I feel, Jeff, that we talk about data-breach stories, like every day. I think what makes this one unique is, yeah, this is they do have children’s information on here. In terms of size, we’re not talking like AOL or anything like that, but 212,000 records in total. But yeah, it’s the sensitivity of the data, this is, you know, we’re talking private information of individuals, children, and older people. So yeah, it’s concerning, yeah?

Jeff: I think the part that could be more concerning is the IP addresses and storage information that were found, that are things that can be exploited in the future. But again, like with all data breaches, it’s going to be something that comes up, you know, I think this is another reason to use separate e-mails for accounts, or even to just do something along the lines of how do we say change your passwords and keep updated passwords and strong management with something like a password manager if you can’t remember them. Or remember Jacoby’s little formula with monkeys and colors. But that’s a whole different story. So I think with this one, just it’s a smaller one of the breaches but something definitely to keep eyes on. And now it’d be a more happier note, I think we’ve talked about crime, big Bezos listening, and some other things. And I think a good way to kind of get towards the tail end of this is over on Dark Reading this week, they have a story that’s a slideshow on desktops. So sorry, in advance, if you click on the link and get annoyed by clicking through things, really talks about seven recent wins against cybercrime. And I think this is a hats-off to the law-enforcement agencies out there. This one ranges everywhere from talking about the Alexandria online auction fraud network taken down to the xDedic group. And I think with this, it’s really good to see that law enforcement able to start taking down some of these cybercrimes, which seem like they would often take much longer or not be as prevalent in the past, and it seemed just like criminals were getting away with murder. On the Internet.

Dave: I agree. It is a little bit frustrating. It’s a slideshow, but we thought it worth mentioning because we too often talk about bad news on this podcast, It’s nice, as you say, to kind of shout out police forces and the private agencies are bringing these things down. One of my favorite ones actually out of all these is the Webstresser Wipeout, i.e., DDoS for hire. It was a massive operation. And you know, the Webstressers were sort of a huge thing a few years back. Not to say that they’ve disappeared overnight or anything like that, but they I think the Webstresser Wipeout was sort of a big moment because they took down a huge sort of network of these. So it’s, you know, and that was the EU and Europol who took that down so you know, hats off to them. So it’s a great little story well worth reading. It also kind of gives you a little bit of backstory in on in the ransomware or the attacks and things like that. So yeah, it’s a nice little read.

Jeff: I like that we get to talk about good things for once. We don’t get into that too much. And I think with this one, like especially with this Webstresser Wipeout, that’s 4 million DDoS attacks this group had done. If you think about it, that’s a lot of devices that are being done there. And definitely something that’s good to see out of there because we like to see crime pay.

Dave: Wait, crime pay?

Jeff: Well, I like to see criminals pay. By pay I mean, hard time. So good job to our Leo’s out there. So this week, I want to end on something because everybody’s getting jacked up about the new Terminator movie with Sarah Connor coming back and everything and Arnold being up in there, but CNET was talking about something this this week, where there’s now a creation of liquid metals for soft robots.

Dave: Yeah, this freaked you out.

Jeff: Listen! I spoke I have seen what they can do.

Dave: The video is quite interesting, but thankfully, it does look like T1000s got a fair way to go yet. But it’s quite funny, actually. You look in the thread on the tweet, and literally every single tweet response is of the T1000 when everyone else is going down the same road as …

Jeff: Researchers in China: Please stop this. I have seen what happens with Skynet. Yes, it was a movie I know. But yo, stuff got really bad.

Dave: Maybe we should show it. They might not have seen the video, so we might need to show them and hopefully change their minds about T1000.

Jeff: I’m pretty sure we might be blocking that in China now. I’m not sure that they have a good relationship with my country right now. Before we get into that, we’re just gonna wrap up this week’s edition of the Transatlantic Cable podcast. Hopefully you guys liked it. If you did, please subscribe or share with your friends. Sharing is caring. If you want to help us out with the podcast, please give us a good rating on your favorite podcast listening tools. And if you like us and haven’t subscribed yet, please subscribe below. We’ve got great links there. We come out each week with a story for you guys and keep it to 20 minutes or less to fit into your busy week. So next week, same cybertime, same cyberchannel. We’ll see you then.