Transatlantic Cable podcast, episode 95

Dave and Jeff discuss a number of issues ranging from backdooring encrypted chats to POS malware and more.

Episode 95 of the Kaspersky Transatlantic Cable podcast touches on encryption’s power, burger joints, Google Chrome restrictions on ad-blockers, and more.

To start things off, Dave and I tackle a pair of stories dealing with end-to-end encryption and how governments are looking at it. The first is from Germany and ponders if law enforcement should be able to read, in plain text, encrypted messages. Then we jump to how companies such as Apple and Google are pushing back on the GCHQ for proposing the same thing.

Afterward, we move to sports and how a football club may need to recheck where they send their money. Then, we discuss a burger chain in the US hit with point-of-service malware. Finally, we close out the podcast with changes to Chrome and ad blockers.

If you enjoy the podcast, consider subscribing and sharing with your friends who need more regular updates on security. For the full text of the stories, please visit the links below:

Jeff: Dave, what the heck’s going on in Europe right now where we’ve got two different countries who’re looking at pretty much working at decrypting messages on encrypted messenger apps like WhatsApp, Telegram, Signal, Threema, etc. All those things.

Dave: Yeah, this is a bit of a weird one, isn’t it? This kind of story hasn’t come up out of the blue. We’ve seen this story pop up every now and again with law enforcement agencies and governments around the world, particularly America for a while, all wanting to kind of get in on breaking encrypted messaging, specifically, end-to-end encryption. And it kind of went silent for a bit after the — now, you have to correct me if I’m wrong, but San Bernardino?

Jeff: California. That’s the shooting where it was, you know, yeah, ties to terrorism and things like that.

Dave: Yeah, we had we had that and the whole Apple versus the FBI situation. But then the FBI got into the phone. And now this has kind of come back up. So, there’s two stories. There’s the Germany’s mulling, basically trying to break end-to-end encryption. And the GCHQ over here in the UK, is not specifically talking about breaking encryption, but more I think their plan would be to add a ghost participant to conversations. So a bit like a group chat, you’d have, you know, a silent participant, i.e., the government listening into specific messages, it wouldn’t be all messages from what I understand this would be a bit like a wiretap or something specific like that. So you know, they, if they had a person of interest, they could basically wiretap a WhatsApp conversation. But it’s troubling, isn’t it? Because, you know, whatever way we go, we’re talking about kind of weakening end-to-end encryption, and that is not a good thing.

Jeff: Now, I think these two stories are really interesting. And one thing to keep in mind, like you said, is, these are just thoughts, proposals, and conversations at this point. And the first thing that stands out to me is, you know, both sides are talking about this from a law enforcement perspective. And, you know, let’s be honest here, law enforcement doesn’t have the easiest time now, when it comes to things. So yeah, I get that point of them needing to have access into getting into some of these types of messages, whether it be an encrypted message, it be an e-mail, but again, with that said, there’s laws to do this. And when you look at something, like you mentioned, bringing up wiretapping, you know, there’s a set of laws that go in those for our countries. Now, when you bring something like private messages here, the part that I think is really bad here, the German story, talks about having networks pretty much break the encryption and store this in plain text.

Dave: Yeah, that’s all levels of bad, isn’t it?

Jeff: So I think when you’re talking about this, and we’ve talked about breaches before when we look at passwords, what’s the first thing that everybody talks about? What was stored in plain text? And now, the problem with this one is, yes, we’re talking about special types of services when it comes to Germany and potentially with law and the police. But the problem is, now that you start saying you’re going to start storing this on plain text. Now, you’re almost making these companies do something different than they normally would have done, you know, the encryption was built to do something that was super secure for the end users. And you know, what, as the articles rightly say, this is mostly used for people who are, you know, an activist groups, journalists, or people who need to be private for some things. And the counterargument is, this becomes a haven for terrorists to hide.

Dave: Yeah, yeah. That’s the usual sort of narrative we hear from governments and law enforcement agencies. And I’m not going to be the person to say that that doesn’t happen. I’m pretty sure that those sorts of individuals will use encrypted messaging. Of course, yeah, it’s going to happen. I mean, they’re not going to be using pigeons or anything stupid like that, you know, so they’re —

Jeff: — not going to send the Ravens.

Dave: Now, oh, well, it’d be pretty cool if they did something like that. But no, it’s probably just going to be, you know, throwaway mobile phones with throwaway SIM cards and, and, you know, something along those lines in an encrypted chat. So no pigeons or ravens, sadly.

Jeff: Dragons?

Dave: Yeah, that’d be a cool one. But, you know, something needs to be done and I’m not, I’m not going to be that person to say that, you know, we should just have encryption for the sake of encryption, blah, blah, blah, blah. It’s very, very important. But at the same time, I think it’s that balancing act, isn’t it? I think law enforcement are keen to do something about it. But at the moment, all they plan on doing is breaking encryption, which is just going to make it worse for everybody, not just, you know, solve a couple of problems. As you rightly say, storing stuff in plain text is a monumentally bad idea. Whatever we doing, and the other alternative, which is GCHQ’s option of adding a ghost participant, whilst sounds better on paper —

Jeff: — That’s no. No, no, no, no, no, no, no, no, no, no, no, no, no, no, no. Because you know what this reminds me of? And I think the best example of this is putting somebody on the BCC on an e-mail, when you talk about something sensitive. Now, one of the things that bothers me about this, and I understand the law enforcement side, like I think one of the things to stress is Dave and I are not saying we’re antipolice in any way, shape, or form here. But I think one of the things here is that’s just kind of, I think, if you do that, that ghosting type of thing, and then the private people, you’re losing all trust.

Dave: That is the main concern here, isn’t it?

Jeff: Yeah, I think the big problem you have here is you trust the encryption on these apps. So I use Threema for private conversation. I use Signal for private conversations. WhatsApp, I use for a bunch of dumb things. But when you know that somebody has changed, you see the encryption key has changed for somebody. You think about what you’re saying, and I think we go back to me sending something to the wrong number for our Swedish friends.

Dave: Yes, yes. The infamous message.

Jeff: It wasn’t that bad. But when it comes down to it, and we start looking at some of these things. Like, these applications are based on trust. And what the government’s here with the GCHQ is pretty much saying is trust us to do the right thing. Unfortunately, I think governments have proven in a lot of these areas, if there’s a way to expand their surveillance programs, they’re going to do it. Yeah. And it’s just that whole area of power corrupts, and because you have the ability to do something, it just is there. And I think that’s kind of one of the great back and forth to Apple, Google, WhatsApp and a number of other companies — 47 to be exact — pushed back on this Ghost Protocol, saying that it not good. And they’re urgent. Abandon it.

Dave: Yeah, I think, you know, we you, as you rightly say, we both were not antipolice or anything, anti–law enforcement agency or anything like that. But I think there’s, this is where, you know, these groups need to come together, and thrash them out. Because one way, which is just hard to encrypt everything isn’t going to help the police forces and the other way, which is just break encryption for everybody isn’t going to help anybody. So there’s, you know, is there a happy middle ground somewhere? You know, that’s where, I mean, I don’t think encryption is the only —

Jeff: — problem with this is everybody knows Big Brother’s watching, or, or whatever you want to call it for your country. In the US, we call it Big Brother. But at end of the day the problem is that the end user, and I think this is one of those things, both of these stories, a German one and the UK, one, they’re going to win a lot of praise, when it comes to the media. And when it comes to public opinion, because everything is so easy to jump on. You look at Brexit, you look at, you know, Trump becoming president, both of those are based upon a human fear and people coming on something. So you’re saying, with this one, you’re playing, hey, we want to break this encryption, because this stops the criminals. That’s the talking point. That’s the PR point that’s going to go across with this one. And these companies are evil, look at Facebook, they’re evil, they own WhatsApp, they’re evil. They want to make sure that they can protect criminals. Well, in the sense that that’s good for a media in a in a big measuring stick type of thing, if you want to pull it out and measure it. But when it comes to end user, the people who are forgetting this was people who are raising pitch was it? Yeah, yeah. Yeah. Yeah, get the big companies. But then it comes to them. They’re like, yeah, they’re good for crime. But then you start thinking about it, and you’re like, Oh, crap, I just sent a wingwang picture to my wife. Wait, the government can see that.

Dave: There’s a discussion that needs to be had. And I think it’s, you know, definitely something that GCHQ and the law-enforcement agencies around the world need to have with — and I’m sure they are having it. I’m not sure I’m not. I’m not saying that they’re not having these conversations. But you know, there is something that needs to be done, I think, but as you right, quite rightly pointed out, you know, encryption is either some things either encrypted or it’s not this is not like this soft encryption or things like that. So, shall we jump over to the next few stories? This one is a weird one, isn’t it? It’s over on Kaspersky blog and is talking about soccer clubs, or, you know, football, as we call it in the UK, soccer club being defrauded. And it’s an interesting read, actually. But it all boils down to that all favorite of cybercriminals, which is social engineering, which, you know, is as old as the hills, isn’t it?

Jeff: The story goes back to something we talked about a few weeks ago in the podcast with the family who lost their money on the real-estate transaction.

Dave: Yeah, it’s exactly the same scenario.

Jeff: Except this one’s a boat-ton more money.

Dave: Yeah, half a million euros.

Jeff: That’s a lot of money. I think looking at this one. This just goes to show how people need to be vigilant. Even in areas you don’t think about it. Like we talked about real estate. This one’s talking about transferring of a player and I’m not gonna pretend I know anything about football. I’m not gonna lie here.

Dave: Yeah, I’m basically in the same boat. As you, Jeff. I’m not much of a football fan, to be honest. But the story is, these aren’t actually large numbers. As far as I understand in football, you know, half a million is actually peanuts when you consider the top stars.

Jeff: Yeah, I know, some of the other ones have been big. But I think when you look at this one, that’s a lot of money to be transferred, and the story talks about how these two teams transfer players they shared, like back and forth, and then all of a sudden, somebody don’t get their money. And it’s like, yo, you stole this guy from me, you didn’t send me my money. Then they go back and forth. And you start to realize this half a million euros. Just went to a bank.

Dave: And again, as you rightly say, the story we talked about the homeowner couple of years ago, it just turned out that, you know, somebody had not read the bank account details and not double-checked. And, yeah, they’ve been a bit of social engineering and someone who broke into an e-mail account and, and just changed a couple of bits on the bank account details. And, you know, for a small bit of work, they managed to get half a million euros. Sadly, at the moment, you know, the investigation is still ongoing. But I think if we if we have one PSA for today is if you’re going to be transferring any sort of money over the internet or over the phone or anything else. Yeah, yeah, check those details. Make sure double check everything in order. And you are sending it to the right person.

Jeff: You know what, this just brings up? This is our “you had one job” moment.

Dave: I’m sure I said it last time on the other podcast, but half a million euros, wouldn’t you? Wouldn’t you check, Jeff? I mean, I personally if I was sending that sort of money.

Jeff: Listen, I haven’t I have never touched that much money in my life. I’m not gonna lie. But I’m thinking somebody might be in some trouble at work. Yeah, that’s a lot. Yes. Somebody might be getting. Yeah. Now, this next story that we’re talking about comes over to a place that’s used to be near and dear to me, because it talks about Checkers restaurants. Now for those of you outside of the US, Checkers is a cheap fast food restaurant that’s delicious, but really, really not good for you. And can cause a heart attack probably. But 102 locations in the US were found with POS malware. Yeah, I know.

Dave: For anybody who doesn’t know what POS malware is, is basically point-of-sale. So you know, those swipe card readers, things like that. Cybercriminals able to put malware onto those devices and which, over in the States you guys still use a lot of swiping, so this specific piece of malware read the magnetic card information and basically stole that information. From what I can understand, though, this is the weird thing. The breach actually happened quite a while ago back in 2015. But he only really got going in 2018. And in this year, in 2019, they find out so it’s a bit odd that it’s taken so long firstly, for Checkers to find out, but also for that sort of malware to kind of sit not doing a great deal because apparently this data hasn’t been used. So not that I’m saying that you should rest easy. If you have been using Checkers and you know you had to swipe the magnetic card, definitely get your credit card checked, your debit card checked, definitely. On a side note that their food looks nice.

Jeff: It’s nice, but at the same time, they put it this way you’re paying like — when I used to go there, and I was very poor at the time, you would be able to get like two cheeseburgers, some fries, and a soda for like five US dollars.

Dave: That’s like 3 pound 50 or something — that’s good value. That is, it’s bad food but good value.

Jeff: Listen, listen, my inner fat kid. Still, it poured one reading the story that I think we we look at this. I think this is what I think is not surprising about this is, this seems to be, according to the researchers, a similar group, who went after other accounts in the past, like we’ve seen a bunch, whether it’s Target or Chilis, or Applebee’s, those places that had them had these types of POS attacks on them. You’re looking at something where it just happens. And it just takes a while to find out because you’re not stealing a lot of money. It’s grifting stuff off of you know, different types of accounts. So yeah, I’m not surprised this one laid in the weeds for a bit, a little bit I am but for the most part, not really. Because you know, you’ve seen POS stuff dropped for a while. But again, if you’ve been to Checkers, and your fact you like me, check your stuff.

Dave: Definitely. And so I think we’ve got a little bit of time left for this last story. Yeah, this one got to me a bit. This one’s from nine to five Google. And it’s a little bit frustrating. Because Google have said that they’re going to restrict the use of ad blockers inside Chrome. Now, from a business point of view, it makes complete sense. Google rely on ads. But from an end user point of view, it kind of sucks. Because ads are becoming more and more pervasive, these days, I’m pretty sure you’ll agree, Jeff. So for them to kind of restrict how Adblock and uBlock and Ghostery and things like that work isn’t going to go down well with like the majority of users who use Chrome, right?

Jeff: Yeah, I think when you look about this, and there’s certain changes that come into play with this one, it definitely leaves on a sour note for a lot of people I know that I saw a few people posting, well, I’m moving the Firefox. And these were some notable people, you know, especially a few types of the EFF posting some things out there. And you’re like, you know what, yeah, you know, while you know, this is a business model for areas. I also think there’s an underlying possible security thing that they’re trying to do here with limiting the number of access to people have the things but again, it sucks. They’ve been messing with ad blockers for a little bit lately, where some stuff have gotten like, you know, some of the ones just get devalued just a little bit, if you will. So their power has been restricted. Yeah. Take back that old Spider Man With great power comes great responsibility. I don’t see Google changing because it’s where they make their money on. And if you’re if you’re stripping out the cookies for all the people are blocking display ads from showing eventually, it’s going to hurt some money or hurt partnerships. And as you said, the enterprise level is where the money’s at for them.

Dave: Yeah, yeah. And, you know, if you don’t like the change, Firefox is calling I Firefox is my main browser. I love it. I moved over last year after being on Chrome for quite a while. So and you know, Firefox is not going to get rid of ad blockers anytime soon. So there’s your alternative.

Jeff: See, I still like Chrome. It’s just easier for me. It’s just I’ve been using it for over 10 years now. Get off my lawn.

Dave: Oh, no, it wasn’t gonna say anything. But yeah. That makes you sound old.

Jeff: Well, it does. But I think at the same time, it’s something to watch as it goes through. Also, yeah, I don’t even look at half the ads that are on there. And I also block cookies from half the places that come through. So there’s small small wins, small Punic victories in this big behemoth that is make money off the end user. Yep. All right.

Well, there you have it, guys. This week’s edition of the Kaspersky Lab Transatlantic Cable podcast has come to an end. If you like what you heard, please subscribe or leave us a five-star review. And if you have friends who want to catch up on infosec for the week, please share the link with them because sharing is caring, everybody. So, we’ll see you guys again next week. Same cybertime, same cyberchannel, and have a great weekend.