S3 Ep104: Should hospital ransomware attackers be locked up for life? [Audio + Text]
Credit to Author: Paul Ducklin| Date: Thu, 13 Oct 2022 16:37:10 +0000
THREE DEEP QUESTIONS
Should hospital ransomware attackers get life in prison? Who was the Countess of Computer Science, and just how close did we come to digital music in the 19th century? And could a weirdly wacky email brick your iPhone?
With Doug Aamoth and Paul Ducklin.
Intro and outro music by Edith Mudge.
Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.
You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.
READ THE TRANSCRIPT
DOUG. Legal troubles abound, a mysterious iPhone update, and Ada Lovelace.
All that and more on the Naked Security Podcast.
[MUSICAL MODEM]
Welcome to the podcast, everybody.
I am Doug Aamoth; he is Paul Ducklin.
Paul, how do you do today, Sir?
DUCK. I’m very well, Doug…
…except for some microphone problems, because I’ve been on the road a little bit.
So if the sound quality isn’t perfect this week, it’s because I’ve had to use alternative recording equipment.
DOUG. Well, that leads us expertly into our Tech History segment about imperfection.
DUCK. [IRONIC] Ohhhhh, thanks, Doug. [LAUGHS]
DOUG. On 11 October 1958, NASA launched its first space probe, the Pioneer One.
It was meant to orbit the moon, but failed to reach lunar orbit thanks to a guidance error, fell back to Earth, and burned up upon re-entry.
Though it still collected valuable data during its 43 hour flight.
DUCK. Yes, I believe it got to 113,000km above the Earth… and the Moon is just shy of 400,000 kilometres away.
My understanding is it went off target a bit and then they tried to correct, but they didn’t have the granularity of control that they do these days, where you run the rocket motor for a little tiny burst.
So they corrected, but they could only correct so much… and in the end they figured, “We’re not going to make it to the moon, but maybe we can get it into a high Earth orbit so it’ll keep going around the Earth and we can keep getting scientific measurements?”
But in the end it was a question of, “What goes up… [LAUGHS] must come down.”
DOUG. Exactly. [LAUGHS]
DUCK. And, as you say, it was like shooting a very, very, very powerful bullet way into outer space, well above the Kármán line, which is only 100km, but in such a direction that it didn’t actually escape the influence of the Earth altogether.
DOUG. Pretty good for a first try, though?
I mean, not bad… that’s 1958, what do you expect?
I mean, they did their best, and got a third of of the way to the moon.
Well, speaking of people not doing their best and crashing, we’ve got a kind of a lightning round of legal stories here…
…starting with our friend Sebastien Vachon-Desjardins, who we’ve spoken about before.
He is in hot water in Florida and perhaps beyond:
DUCK. Yes, we’ve spoken about him on the podcast, I think, a couple of times.
He was a notoriously busy affiliate of the NetWalker ransomware-as-a-service crew.
In other words, he didn’t write the ransomware… he was one of the attackers, breakers-in and deployers of it.
As far as I know, he was quite keen on ransomware: he joined several of these gangs, as it were; signed up to several clubs.
Apparently, he may have made as much as one-third of the overall NetWalker gang’s earnings, so he was very vigorous.
So we’re talking about many millions of dollars that he made for himself, and of course, 30% of that was going to the core people.
He was arrested in Canada, he was sent to prison…
…and then he was specially released from prison in Canada.
Not because they felt sorry for him: they released him from prison so he could be extradited to the US, where he decided to plead guilty, and got 20 years.
Apparently when he finishes those 20 years in federal prison, he will be deported to Canada and he will go straight back in to finish his seven years in Canada.
And if I remember correctly, the judge in that case, noting that this is a ransomware gang that is, amongst other things, notorious for attacking health care institutions, hospitals; people who really, really can’t afford to pay, and where the disruption really, really directly affects people’s lives…
…the judge apparently said words to the effect of, “If you hadn’t actually decided to plead guilty, put your hand up for the offence, I would have sentenced you to life in prison.”
DOUG. Yes, that’s wild!
OK, also kind of low: the former Uber CSO Joe Sullivan… this story is also wild!
They’re answering to a breach that happened with the regulators, and while they’re answering to the breach that happened, *another* breach happens and there’s coverups:
DUCK. Yes, that was a vigorously watched story by much of the cybersecurity community…
Because Uber have paid all sorts of penalties, and apparently they agreed to co-operate, but this wasn’t the company being charged.
This was the individual who was supposedly in charge of security – he had previously been at Facebook, and then was enticed to Uber.
As far as the jury was concerned, it wasn’t so much that the crooks got paid in this case, it’s that they got paid to pretend that the data breach was a bug bounty; that they disclosed it responsibly rather than actually stole the data and then extorted it.
And, of course, the second part of this is, I believe… I’m not sure how you say this word, because you don’t hear it in the UK, but it’s “misprision”… I think that’s how you say it.
It basically means “covering up a crime”.
And, of course, that deals with the fact that, as you say, they’re in the middle of an investigation, they’re being reviewed by the FTC… you’re about to convince them. “Yes, we have put in a whole load of precautions since last time.”
And in the middle of trying to plead your case and go, “No, no, we’re much better than we were”…
…oh, dear, you lose not just some records, what was it?
More than 50 million records relating to people who’d taken Ubers, customers.
Seven million drivers, and that included driving licence numbers for 600,000 drivers and SSNs (social security numbers) for 60,000.
So that’s pretty serious!
And then just trying to go, “Well, let’s [COUGHS MEANINGFULLY] make it so that we don’t have to tell anybody, and then let’s go and get the crooks to sign non-disclosure agreements.” [LAUGHS]
Speaker1
[LAUGHS] Oh, god!
DUCK. [LAUGHING] Not funny, Doug!
DOUG. Very good.
And a little more cut and dried…
If you create an app that purports to be connected with WhatsApp, and you collect user credentials, WhatsApp’s going to come after you!
DUCK. Yes, this is a case of WhatsApp and Meta.
Sounds a bit weird to say both of them, but I guess both legal entities (WhatsApp is owned by Meta) have decided, “Well, if you can’t beat them, sue them!”
So this is credential theft, so that accounts can be used basically to send fake messages.
Spam, basically, but probably also loads of scams, right?
If you’ve got my password, you can contact all my buddies and said, “Hey, I made loads of money out of this cryptocoin scam,” and because it’s *me* saying it rather than some random individual off the internet, you might be more inclined to believe it.
So WhatsApp figured, “Right, we’re just going to sue you, and try and shut down your companies that way. And that would basically give us a vehicle to force all these apps to be removed, wherever they might appear.”
Unfortunately, the crooks had done enough treachery to sneak them into Google Play.
So the accusation is that they “misled more than 1 million WhatsApp users into self-compromising their accounts as part of an account takeover attack.”
And by self-compromise, it means they just presented users with a fake login page and basically proxied their credentials.
Presumably they kept them and abused them afterwards…
DOUG. OK, we will keep an eye on that.
Now, please tell us, what does a Countess who lived in the first half of the 19th century have to do with computing and computer science?
DUCK. That would be Ada Lovelace.
Or, more formally, Ada, Countess of Lovelace… she married a chap who was called Lord Lovelace, so she became Lady Lovelace:
She was of aristocratic stock, and in those days, women generally didn’t go into science.
But she did: she was keen on mathematics.
And she met up, as a youngster, as a teenager, I think, with Charles Babbage, who’s famous for having invented the Difference Engine, which could calculate things like trig tables.
So therefore the UK government was interested because where you can do trigonometry, you can do artillery tables, and that means you can make your gunners more accurate on land and sea.
But then Babbage figured, “That’s just a pocket calculator (in modern terminology). Why don’t I build a general-purpose computer?”
And he designed a thing called the Analytical Engine.
And that was what Ada Lovelace was really interested in.
In fact, I believe she offered to be Babbage’s VC at one point, his venture capitalist: “I’ll bring in the money, but you have to leave the running of the business part of it to me. Let me build the business for you!
DOUG. It’s truly amazing.
To anyone that’s listening to this…
…as you’re listening to this story, I want you to keep in mind that she died at 36.
She’s doing this all in her 20s and early 30s.
Amazing things!
DUCK. She died of uterine cancer, so she was really in pain and unable to work in the end.
And she didn’t just want to be the business person behind it, “Hey, let me build a business.”
Babbage, I think, had a little bit of bitterness towards the establishment for not coming in; he wanted to do it in a more traditional, “No, I want to prove I’m right kind of way”, rather than going, “Yes, just go and find me the money,” which might be the approach today.
So the business side that she proposed never came off.
But she was also essentially the world’s first computer programmer… certainly she was the first published computer programmer.
You can imagine Babbage tinkering with his Analytical Engine… he probably came up with some programs before she did, but he never realised them.
And certainly he never published, like she did, a treatise on why this Analytical Engine was important, and the fact that it could actually do much more than just numeric calculations.
She had this vision that calculators added numbers together, but if you could do numeric calculations and on the basis of those make decisions (what we might now call IF…THEN…ELSE), then you could actually represent and work with all sorts of other stuff, such as logical propositions, devising proofs, or even working with music, if you had some mathematical or numerical way of representing music.
Now, I don’t know whether digital music will ever take off, Doug, but if it ever does…
DOUG. [LAUGHS] We have Ada Lovelace to thank!
DUCK. She was there in 1840, thinking and writing about this!
She was, believe it or not, the daughter of the famous (or infamous) poet Lord Byron.
Apparently her mother and father parted ways, so I don’t believe she ever met him – she was sort of the “unknown daughter” to him.
Now, Byron famously was on vacation in Switzerland once, where rain kept him and the friends that he was vacationing with indoors.
And those friends were Percy and Mary Shelley.
And Byron said, “Hey, let’s have a horror story writing competition!” [LAUGHTER]
And what he did, and what Percy Shelley did, came to nothing; no one remembers what they wrote.
But Mary Shelley… that is apparently where she came up with Frankenstein…
DOUG. Wow!
DUCK. … or the modern Prometheus, which is essentially all about artificial intelligence and human-created thought machines, if you like, and how it ends badly.
And Ada, Byron’s daughter, was actually the first person to write in a scientific way about “Can machines think?” in the notes that she wrote on the Analytical Engine.
She did *not* share the same horror story concerns that her father’s chums had.
The way she wrote it (scientists generally had a more literary bent in those days):
The Analytical Engine has no pretensions whatever to originate anything. It can do whatever we know how to order it to perform. It can follow analysis, but it has no power of anticipating any analytical relations or truths.
So she saw computing devices, general-purpose computing devices, as a way of helping us understand and work out things that would be impossible for regular human minds to do.
But I don’t think she thought that they could be a replacement for human minds.
DOUG. And again, keep in mind she’s writing this in 1842…
DUCK. Exactly!
It’s one thing to hack in real life; it’s another to hack on imaginary computers that you know *could* exist, but nobody has built one yet.
DOUG. [LAUGHS] Exactly.
DUCK. The problem was, because these computers were mechanical and required mechanical gears, they required absolute perfection in manufacturing.
Or there would just be this cumulative error that would make them lock up due to backlash, the fact that the gears don’t mesh perfectly.
And I think, as we’ve said in the podcast before, ironically, it took the design of digital computers, that are essentially extensions of the Analytical Engine, that can control computerised metal cutting machines with sufficient precision…
…before we could make a Difference Engine or an Analytical Engine that actually worked.
And if that isn’t a fascinatingly circular story, I don’t know what is!
So Ada Lovelace was in the middle of this: proselytiser; evangelist; scientist; mathematician; computer scientist; and as a budding venture capitalist, saying to Babbage, “Let go of all your business interests; hand them over to me. I move in the right circles to find you the money – I’ll get the investment! Let’s see what we can do with this!”
And, for better or for worse, Babbage baulked at that and apparently died essentially in poverty, rather a broken man.
One wonders what might have happened had he done it…
DOUG. It’s a fascinating story.
I urge you to head to Naked Security to read it.
It’s called Move over, Patch Tuesday – it’s Ada Lovelace day.
Great long read, very interesting!
And now let’s wrap up with this mysterious iPhone update, which is a so-called “one-bug fix”.
These are not common:
DUCK. No, mostly when you get your Apple updates (because you don’t know when they’re coming – there isn’t a Patch Tuesday where you can predict), they just arrive…
…there’s this giant list of stuff that they’ve fixed since the last one they did.
And occasionally there’s a zero-day, massive emergency, and you get an Apple update that says, “Oh, well, we’re fixing one or maybe two things.”
And this one just suddenly arrived, for iOS 16 only.
I was about to go to bed, Doug… it was quite late, and I thought, I’ll just have a look at my email, see if Doug sent me anything. [LAUGHTER]
And there was this thing from Apple: iOS 16.0.3.
And I thought, “That’s sudden! I wonder what’s gone wrong? Must be a zero day.”
So I went into the security bulletin… it’s not a zero day; it’s only a denial-of-service (DoS) attack; not an actual remote code execution.
The Mail app can be made to crash.
And yet Apple suddenly pushed out this update and it just says:
Impact: Processing a maliciously crafted mail message may lead to a denial of service. An input validation issue was addressed with improved input validation.
Strange double use of the word validation there…
CVE-2022-22658.
And that’s all we know.
And it doesn’t say, “Oh, it was reported by such-and-such a bug hunting group”, or, “Thanks to an anonymous researcher”, so I presume they found it themselves.
And I can only guess that they felt they needed to fix this really quickly because it could accidentally lock you out of your phone, or make it almost unusable.
Because that’s the problem with denial-of-service bugs when they’re in messaging apps, isn’t it?
You think of denial of service… the app crashes; woo hoo, you just start it again.
But the problem with a messaging app is that: [A] it tends to run in the background, so it can receive a message at any time; [B] you don’t get to choose who sends you messages, other people do; and [C] it may be that in order to get into the app to delete the rogue message, you have to wait for the app to load, and it decides. “Oh. I need to show you this message that you want to del…”, CRASH!
What I call a CRASH: GOTO CRASH
error.
In other words, maybe you can’t fix it, because while you’re booting your phone, or if you restart your phone, by the time you get to the point that you could jump in and hit delete on the message…
…the app has already crashed again; too late!
We know that there have been so-called “text of death” problems in iOS before.
We’ve got a list of them in the Naked Security article – they’ve made quite fascinating stories.
So we don’t know whether it was it an image, the way that glyphs (character images) get formed, character combinations, text direction… we don’t know.
It’s certainly worth getting the patch, because my gut feeling is if Apple thinks it’s important enough to put it in the security bulletin, which has that one-and-only-one fix, when it’s not a zero day, and it’s not remote code execution, and it’s not elevation of privilege…
…then they’re probably worried what would happen if anyone else found out about it!
So maybe you should be too.
It’s also, Doug, a fantastic reminder that although people tend to prioritise vulnerabilities from remote code execution at the top; then elevation of privilege then information leakage…
…denial of service is, “OK, the server can crash, but I can always start it up again.”
That can nevertheless be a really troublesome sort of problem.
Although it might not steal your data or ransomware your files, it could nevertheless prevent you using your computer, getting at your data, and doing real work.
DOUG. Yes, we have the issue here that you need to update, but if you are experiencing this problem, you might not be able to get to the update if your phone keeps crashing!
So that leads us into our reader question for the week.
Here on the post that we’re talking about, Naked Security reader Peter asks:
Not an Apple user here, but isn’t there an option for Apple users to log into their email accounts in a browser which hopefully doesn’t crash like the app and delete the mail there instead of wiping your device?
DUCK. Well, that’s certainly true for me.
The way I use my iPhone, I can read the same mail on my phone as in the web app in my browser.
So it’s a good starting point, if you’re locked out of your phone, and if you happen to have a laptop handy.
The problem is that when you’ve deleted mails, say, in your web browser, or via the native app on your laptop…
…your phone Mail app still has to sync with the server to know that it’s got to delete those messages.
And if, on the way there, it processes the message that it’s now about to delete, it could still get into the crashtastic situation, couldn’t it?
So the problem with that comment is the only real answer I can give is: “Not enough info. Can’t say for sure. But I jolly well hope you can do that!”
DOUG. Give it a try, at least.
DUCK. Yes, give it a try!
If you really get locked out, so that your phone crashes as soon as it starts, you’d like to think you could do what Apple call a DFU (direct firmware update), where you basically start afresh.
But the problem is to enable that (to stop it being used for evil), it essentially involves a wipe-and-start-over.
So you would lose all the data on the phone, assuming it would work.
So I guess the answer to that question is…
Try the least intrusive way of solving it that you can first.
Try “beating the app” on the phone, the messaging app.
This is what worked for some of the previous iOS things.
You basically reboot your phone; [SPEEDING UP] you type in your lock code really quickly; [SPEAKING REALLY FAST] you get into the app as fast as you can, and you click delete…
…before the phone gets there and starts the process that eventually runs out of memory.
So you might have enough time to do it on the phone itself.
If not, try doing it via an external app that manages the same set of data.
And if utterly stuck, then I suppose a flash-and-reinstall is your only solution.
DOUG. All right, thank you, Peter, for sending that in.
If you have an interesting story, comment, or question you’d like to submit, we’d love to read on the podcast.
You can email tips@sophos.com; you can comment on any one of our articles; or you can hit us up on social: @nakedsecurity.
That’s our show for today.
Thanks very much for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you until next time to…
BOTH. Stay secure.
[MUSICAL MODEM]