S3 Ep92: Log4Shell4Ever, travel tips, and scamminess [Audio + Text]

Credit to Author: Paul Ducklin| Date: Thu, 21 Jul 2022 16:25:17 +0000

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

With Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.


READ THE TRANSCRIPT

DOUG.  Facebook scams, Log4Shell forever, and tips for a cybersafe summer.

All that, and more, on the Naked Security Podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody.

I am Doug Aamoth, and with me, as always, is Paul Ducklin.

How do you do, Paul?


DUCK.  I’m super-duper, Douglas.

Starting to cool down a bit here in England.


DOUG.  Yes.


DUCK.  I think I picked the wrong day to go on a nice big country bicycle ride.

It was such a good idea when I set out: “I know, I’ll do a nice long ride, and then I’ll just get the train home, so I’m at home in plenty of time for the podcast.”

And when I got there, because of the extreme heat, the trains were only running once every two hours, and I’d just missed one.

So I had to ride all the way back… and I did just make it in time.


DOUG.  OK, there you go… you and I are in the full swings of summer, and we have some tips for the summertime coming up later in the show.

But first, I’d like to talk about This Week in Tech History.

This week, in 1968, the Intel Corporation was formed by Gordon Moore (he of Moore’s Law), and Robert Noyce.

Noyce is credited as pioneer of the integrated circuit, or microchip.

Intel’s first microprocessor would be the 4004, which was used for calculators.

And, a Fun Fact, the name Intel is a mashup of INTegrated ELectronics.

So… that company turned out pretty good.


DUCK.  Yes!

I guess, to be fair, maybe you would say, “Co-pioneer”?


DOUG.  Yes. I had, “A pioneer.”


DUCK.  Jack Kilby, of Texas Instruments, I think came up with the first integrated circuit, but it still required parts in the circuit to be wired together.

And Noyce solved the problem of how to bake them all in in silicon.

I actually attended a speech by Jack Kilburn, when I was a freshly minted computer scientist.

Absolutely fascinating – research in the 1950s in America!

And of course, Kilby famously received a Nobel Prize, I think in the year 2000.

But Robert Noyce, I’m sure, would have been a joint winner, but he had already died by that time, and you cannot get a Nobel Prize posthumously.

So, Noyce never did get a Nobel Prize, and Jack St. Clair Kilby did.


DOUG.  Well, that was a long time ago…

…and a long time from now, we may still be talking about Log4Shell…


DUCK.  Oh, dear, yes.


DOUG.  Even though if there’s a fix for it, the US has come out and said that it could be decades before this thing is actually fixed.


DUCK.  Let’s be fair… they said, “Perhaps a decade or longer.”

This is a body called the Cybersecurity Review Board, the CSRB (part of the Department of Homeland Security), which was formed earlier this year.

I don’t know whether it was formed specifically because of Log4Shell, or just because of supply chain source code issues becoming a big deal.

And nearly eight months after Log4Shell was a thing, they produced this report, of 42 pages… the executive summary alone runs to nearly 3 pages.

And when I first glanced at this, I thought, “Oh, here we go.”

Some public servants have been told, “Come on, where’s your report? You’re the review board. Publish or perish!”

Actually, although parts of it are indeed heavy going, I think you should take a read through this.

They put in some stuff about how, as a software vendor, as a software creator, as a company that’s providing software solutions to other people, it’s actually not that hard to make yourself easy to contact, so people can let you know when there’s something you have overlooked.

For example, “There’s still a Log4J version in your code that you didn’t notice with the best will in the world, and you haven’t fixed.”

Why wouldn’t you want someone who’s trying to help you to be able to find you and contact you easily?


DOUG.  And they say things like… this first one is kind of table stakes, but it’s good for anyone, especially smaller businesses that haven’t thought of this: Develop an asset and application inventory, so you know what you have running where.


DUCK.  They doesn’t expressly threaten or claim this, because it’s not for these public servants to make the laws (that’s up to the legislature)… but I think what they’re saying is, “Develop that capacity, because if you don’t, or you couldn’t be bothered, or you can’t figure out how to do it, or you think your customers won’t notice, eventually you might find that you have little or no choice!”

Particularly if you want to sell products to the federal government! [LAUGHTER]


DOUG.  Yes, and we’ve talked about this before… another thing that some companies may have not thought of yet, but is important to have: A vulnerability response program.

What happens in the case that you do have a vulnerability?

What are the steps you take?

What’s the game plan that you follow to address those?


DUCK.  Yes, that’s what I was alluding to earlier.

The simple part of that is you just need an easy way for somebody to find out where they send reports in your organisation… and then you need to make a commitment, internally as a company, that when you receive reports, you’ll actually act upon them.

Like I said, just imagine that you’ve got this big Java toolkit that you’re selling, a big app with lots of components, and in one of the back-end systems, there’s this big Java thing.

And in there, imagine there’s still a vulnerable Log4J .JAR file that you’ve overlooked.

Why wouldn’t you want the person who discovered it to be able to tell you quickly and easily, even with a simple email?

The number of times that you go on Twitter and you see well known cybersecurity researchers saying, “Hey, does anyone know how to contact XYZ Corp?”

Didn’t we have a case on the podcast of a guy who eventually… I think he went on TikTok or something like that [LAUGHTER] because he couldn’t find out how to contact this company.

And he made a video saying, “Hey guys, I know you love your social media videos, I’m just trying to tell you about this bug.”

And eventually they noticed that.

If only he could have gone to yourcompany DOT com SLASH security DOT txt, for example, and found an email address!

“That’s where we’d prefer you to contact us. Or we do bug bounties through this program… here’s how you sign up for it. If you want to be paid.”

It’s not that hard!

And that means that somebody who wants to give you the heads up that you have a bug that you maybe thought you fixed can tell you.


DOUG.  I do love the dismount in this article!

You write and you channel John F. Kennedy, saying [KENNEDY VOICE] “Ask not what everyone else can do for you, but think about what you can do for yourself, because any improvements you make will almost certainly benefit everyone else as well.”

Alright, that is up on the site if you want to read about it… it is required reading if you’re in any sort of position that you have to deal with one of these things.

It’s a good read… at least read the three-page summary, if not the 42-page report.


DUCK.  Yes, it’s long, but I found it surprisingly thoughtful, and I was very pleasantly surprised.

And I thought if people read this, and random people take a random one tenthh of it to heart…

…we ought collectively to be in a better place.


DOUG.  All right, moving right along.

It is summer vacation season, and that often involves taking your gadgets with you.

We have some tips for enjoying your summer vacation without, errr, “not enjoying” it.


DUCK.  “How many gadgets should we take? [DRAMATIC] Pack them all!”

Sadly, the more you take, the bigger your risk, loosely speaking.


DOUG.  Your first tip here is you’re packing all your gadgets… should you make a backup before you set off?

Guessing the answer is, “Yes!”


DUCK.  I think it’s pretty obvious.

Everyone knows you should make a backup, but they put it off.

So I thought it was a chance to trot out our little maxim, or truism: “The only backup you will ever regret is the one you didn’t make.”

And the other thing about making sure that you’ve backed up a device – whether that’s into a cloud account that you then log out from, or whether that’s to a removable drive that you encrypt and put in the cupboard somewhere – it means that you can strip down your digital footprint on the device.

We’ll get to why that might be a good idea… just so you don’t have your whole digital life and history with you.

The point is that by having a good backup, and then thinning out what you actually have on the phone, there’s less to go wrong if you lose it; if it gets confiscated; if immigration officials want to look at it; whatever it is.


DOUG.  And, somewhat related to moving around, you may lose your laptop and or your mobile phone… so you should encrypt those devices.


DUCK.  Yes.

Now, most devices are encrypted by default these days.

That’s certainly true for Android; it’s certainly true for iOS; nd I think when you get Windows laptops these days, BitLocker is there.

I’m not a Windows user, so I’m not sure… but certainly, even if you have Windows Home Edition (which annoyingly, and I hope this changes in the future, annoyingly doesn’t let you use BitLocker on removable drives)… it does let you use BitLocker on your hard disk.

Why not?

Because it means that if you lose it, or it gets confiscated, or your laptop or phone gets stolen, it’s not just a case that a crook opens up your laptop, unplugs the hard disk, plugs it into another computer and reads everything off it, just like that.

Why not take the precaution?

And, of course, on a phone, generally because it’s pre-encrypted, the encryption keys are pre generated and protected by your lock code.

Don’t go, “Well, I’ll be on the road, I might be under pressure, I might need it in a hurry… I’ll just use 1234 or 0000 for the duration of the vacation.”

Don’t do that!

The lock code on your phone is what manages the actual full-on encryption and decryption keys for the data on the phone.

So pick a long lock code… I recommend ten digits or longer.

Set it, and practise using it at home for a few days, for a week before you leave, until it’s second nature.

Don’t just go, 1234 is good enough, or “Oh, I’ll have a long lock code… I’ll go 0000 0000, that’s *eight* characters, no one will ever think of that!”


DOUG.  OK, and this is a really interesting one: You have some advice about people crossing national borders.


DUCK.  Yes, that has become something of an issue these days.

Because many countries – I think the US and the UK amongst them, but they’re by no means the only one – can say, “Look, we want to have a look at your device. Would you unlock it, please?”

And You go, “No, of course not! It’s private! You’ve got no right to do that!”

Well, maybe they do, and maybe they don’t… you’re not in the country yet.

It’s “My kitchen, My rules”, so they might say, “OK, fine, *you* have every right to refuse… but then *we’re* going to refuse your admission. Wait here in the arrivals lounge until we can transfer you to the departure lounge to get on the next flight home!”

Basically, don’t *worry* about what’s going to happen, such as “I might be forced to reveal data at the border.”

*Look up* what the conditions of entry are… the privacy and surveillance rules in the country you’re going to.

And if you genuinely don’t like them, then don’t go there! Find somewhere else to go to.

Or simply enter the country, tell the truth, and reduce your digital footprint.

Like we were saying with the backup… the less “digital life” stuff you carry with you, the less there is to go wrong, and the less likely it is that you will lose it.

So, “Be prepared” is what I’m saying.


DOUG.  OK, and this is a good one: Public Wi-Fi, is it safe or unsafe?

It depends, I guess?


DUCK.  Yes.

There are a lot of people saying, “Golly, if you use public Wi-Fi, you’re doomed!”

Of course, we’ve all been using public Wi-Fi for years, actually.

I don’t know anyone who’s actually stopped using it out of fear of getting hacked, but I do know people go, “Well, I know what the risks are. That router could have been owned by anybody. It could have some crooks on it; it could have an unscrupulous coffee shop operator; or it could be just that somebody hacked it who was here on vacation last month because they thought it was terribly funny, and it’s leaking data because ‘ha ha ha’.”

But if you’re using apps that have end-to-end encryption, and if you’re using sites that are HTTPS so they’re end-to-end encrypted between your device and the other end, then there are considerable limits to what even a completely hacked router can reveal.

Because any malware that’s been implanted by a previous visitor will be implanted on the *router*, not on *your device*.


DOUG.  OK, next… what I consider to be computing’s version of seldom-cleaned public toilets.

Should I use kiosk PCs in airports or hotels?

Cybersecurity aside… just the number of people that have had their hands on that dirty, dirty keyboard and mouse!


DUCK.  Exactly.

So, this is the flip side of the “Should I use public Wi-Fi?”

Should I use a Kkiosk PC, say, in the hotel or in an airport?

The big difference between a Wi-Fi router that’s been hacked and a kiosk PC that’s been hacked is that if your traffic is going encrypted through a compromised router, there’s a limit to how much it can spy on you.

But if your traffic is originating from a hacked or compromised kiosk computer, then basically, from a cybersecurity point of view, *it is 100% Game Over*.

In other words, that kiosk PC could have unfettered access to *all the data that you send and receive on the internet* before it gets encrypted (and after the stuff you get back gets decrypted).

So the encryption becomes essentially irrelevant.

*Every keystroke you type*… you should assume it’s being tracked.

*Every time something’s on the screen*… you should assume that someone can take a screenshot.

*Everything you print out*… you should assume that there’s a copy made in some hidden file.

So my advice is to treat those kiosk PCs as a necessary evil and only use them if you really have to.


DOUG.  Yes, I was at a hotel last weekend which had a kiosk PC, and curiosity got the better of me.

I walked up… it was running Windows 10, and you could install anything on it.

It was not locked down, and whoever had used it before had not logged out of Facebook!

And this is a chain hotel that should have known better… but it was just a wide open system that nobody had logged out of; a potential cesspool of cybercrime waiting to happen.


DUCK.  So you could just plug in a USB stick and then go, “Install keylogger”?


DOUG.  Yes!


DUCK.  “Install network sniffer.”


DOUG.  Uh huh!


DUCK.  “Install rootkit.”


DOUG.  Yes!


DUCK.  “Put flaming skulls on wallpaper.”


DOUG.  No, thank you!

This next question doesn’t have a great answer…

What about spycams and hotel rooms and Airbnbs?

These are tough to find.


DUCK.  Yes, I put that in because it’s a question we regularly get asked.

We’ve written about three different instances of undeclared spy cameras. (That’s a sort of tautology, isn’t it?)

One was in a farm work hostel in Australia, where this chap was inviting people on visitor visas who are allowed to do farm work, saying “I’ll give you a place to stay.”

It turned out he was a Peeping Tom.

One was at an Airbnb house in Ireland.

This was a family who traveled all the way from New Zealand, so they couldn’t just get in the car and go home, give up!

And the other one was an actual hotel in South Korea… this was a really creepy one.

I don’t think it was the chain that owned the hotel, it was some corrupt employees or something.

They put spy cameras in rooms, and I kid you not, Doug… they were actually selling, basically, pay-per-view.

I mean, how creepy is that?

The good news, in two of those cases, the perpetrators were actually arrested and charged, so it ended badly for them, which is quite right.

The problem is… if you read the Airbnb story (we’ve got a link on Naked Security) the guy who was staying there with his family was actually an It person, a cybersecurity expert.

And he noticed that one of the rooms (you’re supposed to declare if there are any cameras in an Airbnb, apparently) had two smoke alarms.

When do you see two smoke alarms? You only need one.

And so he started looking at one of them, and it looked like a smoke alarm.

The other one, well, the little hole that has the LED that blinks wasn’t blinking.

And when he peered through, he thought, “That looks suspiciously like a lens for a camera!”

And it was, in fact, a spy camera disguised as a smoke alarm.

The proprietor had hooked it up to the regular Wi-Fi, so he was able to find it by doing a network scan… using a tool like Nmap, or something like that.

He found this device and when he pinged it, it was pretty obvious, from its network signature, that it was actually a webcam, although a webcam hidden in a smoke alarm.

So he got lucky.

We wrote an article about what he found, linking and explaining what he had blogged about at the time.

This was back in 2019, so this is three years ago, so technology has probably even come along a little bit more since then.

Anyway, he went online to see, “What chance do I actually have of finding cameras in the next places where I stay?”

And he came across a spy camera – I imagine the picture quality would be pretty terrible, but it is still a *working digital spy camera*…. not wireless, you have to wire it in – embedded *in a Phillips-head screw*, Doug!


DOUG.  Amazing.


DUCK.  Literally the type of screw that you would find in the cover plate that you get on a light switch, say, that size of screw.

Or the screw that you get on a power outlet cover plate… a Phillips-head screw of regular, modest size.


DOUG.  I’m looking them up on Amazon right now!

“Pinhole screw camera”, for $20.


DUCK.  If that’s not connected back to the same network, or if it’s connected to a device that just records to an SD card, it’s going to be very difficult to find!

So, sadly, the answer to this question… the reason why I didn’t write question six as, “How do I find spycams in the rooms I stayed in?”

The answer is that you can try, but unfortunately, it’s that whole “Absence of evidence is not evidence of absence” thing.

Unfortunately, we don’t have advice that says, “There’s a little gizmo you can buy that’s the size of a mobile phone. You press a button and it bleeps if there’s a spycam in the room.”


DOUG.  OK. Our final tip for those of you out there who can’t help yourselves: “I’m going on vacation, but what if I want to take my work laptop along?”


DUCK.  I can’t answer that.

You can’t answer that.

It’s not your laptop, it’s work’s laptop.

So, the simple answer is, “Ask!”

And if they say, “Where are you going?”, and you give the name of the country and they say, “No”…

…then that’s that, you can’t take it along.

Maybe just say, “Great, can I leave it here? Can you lock it up in the IT cupboard till I get back?”

If you go and ask IT, “I’m going to Country X. If I were taking my work laptop along, do you have any special recommendations?”…

…give them a listen!

Because if work thinks there are things that you ought to know about privacy and surveillance in the place you’re going, those things probably apply to your home life.


DOUG.  All right, that is a great article…go read the rest of it.


DUCK.  I’m so proud of the two jingles I finished with!


DOUG.  Oh, yes!

We’ve heard, “If in doubt, don’t give it out.”

But this is a new one that you came up with, which I really like….


DUCK.  “If your life’s on your phone/Why not leave it at home?”


DOUG.  Yes, there you go!

All right, in the interest of time, we have another article on the site I beg you to read. This is called: Facebook 2FA scammers return, this time in just 21 minutes.

This is the same scam that used to take 28 minutes, so they’ve shaved seven minutes off this scam.

And we have a reader question about this post.

Reader Peter writes, in part: “Do you really think these things are coincidental? I helped change my father-in-law’s British Telecom broadband contract recently, and the day the change went ahead, he had a phishing telephone call from British Telecom. Obviously, it could have happened any day, but things like that do make you wonder about timing. Paul…”


DUCK.  Yes, we always get people who go, “You know what? I got one of these scams…”

Whether it’s about a Facebook page or Instagram copyright or, like this chap’s dad, telecomms related… “I got the scam the very morning after I did something that directly related to what the scam was about. Surely it’s not a coincidence?”

And I think for most people, because they’re commenting on Naked Security, they realise it’s a scam, so They’re saying, “Surely the crooks knew?”

In other words, there must be some inside information.

The flipside of that is people who *don’t* realise that it’s a scam, and won’t comment on Naked Security, they go, “Oh, well, it can’t be a coincidence, therefore it must be genuine!”

In most cases, in my experience, it absolutely is down to coincidence, simply on the basis of volume.

So the point is that in most cases, I am convinced that these scams that you get, they are coincidences, and the crooks are relying on the fact that it’s easy to “manufacture” those coincidences when you can send so many emails to so many people so easily.

And you’re not trying to trick *everybody*, you’re just trying to trick *somebody*.

And Doug, if I can squeeze it in at the end: “Use a password manager!”

Because then you can’t put the right password into the wrong site by mistake, and that helps you enormously with those scams, whether they are coincidental or not.


DOUG.  All right, very good as always!

Thank you for the comment, Peter.

If you have an interesting story, comment or question you’d like to submit, we’d love to read it on the podcast.

You can email tips@sophos.com, you can comment on any one of our articles, or you can hit us up on social: @nakedsecurity.

That’s our show for today; thanks very much for listening.

For Paul Ducklin, I’m Doug Aamoth, reminding you, until next time, to…


BOTH.  Stay secure!

[MUSICAL MODEM]


http://feeds.feedburner.com/NakedSecurity

Leave a Reply