Tuesday, January 14, 2020

Scaring grandma - A vicious news cycle of incompetence

As someone pointed out, its been awhile since I published something to stimulate the mind and piss off someone in need of an attitude readjustment.

Well.... happy new year !  

The last months have been overwhelming for many enterprises, as breaches surface faster then grandpa's bubbles in the spa.

No lack of cases to pick at, and over the last month and a half, I was called into over 30 television and radio interviews for various screws up and potentially news worthy events.

This week, some news stories floated to the top, but as is often the case, the media misunderstands risks, and sometimes they call in technology experts that are not tuned to security and the results are messages that frighten everyone with no significant value.

Lets take this case:  Quebec hacker arrested for Sim Swapping and stealing millions in bitcoins.


I was listening to one of my favourite talk show hosts... drive the car literally off the cliff.  I actually texted him while he was on the air with the word "STOP!".

His interviewée was going on about how SIM swapping takes over the persons phone.

First off, NO.  SIM swapping takes over the persons PHONE NUMBER.  It has very little to do with their emails on their phone or the other applications on that phone without numerous other attack vectors.

As the car drove off the cliff.... it accelerated.... going on about how emails and everything on the phone was compromised.....  once again... a stern and firm NO.

I'm all for scaring grandma.   But I prefer to use valid old school techniques like C4 or the right mixture of potassium nitrate, sulfur and carbon in her granny panties drawer with a drawstring and a hidden camera.

So lets make sure we break this down and understand.

If someone called your provider and had the right personal information, they could activate a new SIM on your current phone number.  Your phone would go mostly dead (no calls, no phone carrier internet), but if you are on wifi, you might not even notice until you try and make a call.

If that same someone, had access to even more personal information, like your banking information (bank name, account name, password) they could log into your bank account even if your bank uses SMS based MFA (Multifactor authentication).  They would simply login, when asked for the temporary secret code, they would receive it on their newly configured cell phone SIM card enabled device, and you wouldn't receive anything nor know that this happened.

So back to the bitcoins worth millions.

These victims are not the sharpest tools in the shed.

Sure they had MFA activated on their ONLINE WALLETS..... 

But these wallets are ONLINE and they had millions in them.

So not only did they trust the MFA (which is ok to do under most circumstances), but they also trusted a software system, hosted on the internet, to hold millions of dollars in bitcoins.

That is not a very smart move.

As a solid comparison, I have an electronic bitcoin wallet in an android phone.  This device is ONLY connected to the internet via wifi (no SIM card) when a bitcoin transaction is to be done.   I have the wallet secret key encrypted with a mechanism that only I know, and printed and placed in a physical vault.

So my risk is reduced to a window of time, equal to the moment I connect to the Internet to perform a transaction (a few minutes).

Ok sure, some additional risks exists.  Since I just mentioned that I have a paper version that only I can decrypt stored away in a vault somewhere.  So I'm now a potential kidnap victim.  On the positive side, I'm batshit crazy, heavily armed, ex-military, over 50 with a short fuse.  

That is called risk management.

And you won't hear me crying that someone stole my bitcoins anytime soon.

So all these people, rapidly moving with the technology are not aware even at the simplest level, of the risks they are taking.

Trusting a website to hold your bitcoins (or anything related to your wallet) to me, is as close to crazy as one can get.

So once again, everyone relying on technology would benefit from a lunch with a qualified security professional.

People, feed your nerds and geeks.

It can save you millions . ;-)

And as for the media, it would be nice if they would gradually learn to stop calling an 18 year old "hacker" a computer genius simply because he had the patience to exploit a series of people who where totally useless and careless in their protection of valued assets.

Just to be clear, because someone knows more about something than you do, does not by default make them a genius.

And also, how many people actually have millions in bitcoins protected by their phones.....


On a second note, big news today about various social media being caught selling your shit again.  How this is new news is beyond me, since all experts keep saying that if it is free, you're the product.

Ok, in this case, these services are not ALL free ( Tinder & Grindr ), but some features are, and lets face is, companies are there to make money, not offer a quality service as a primary objective.

Now I'm not saying that quality isn't important to them and that all social media and dating apps are bad, I'm saying that most will sell any data they can to make more money because companies prioritize profites over quality of service.

What we do not know at this exact moment are the exact data elements sold.  Is it just statistical data (so many men looking for XYZ in this geographic area).  But either way, are we really surprised that they package usage data and sell it..... come on now.  Grow up.

So, back to basics:

1) If it is free (or mostly free) you are the product or part of the product
2) If it is extremely valuable, it shouldn't be on anything connected to the Internet

Paris Hilton and many other famous people learnt that the hard way (no pun intended).


Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies


No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...