Troy Hunt: The Modern State of Insecurity (Part One)

Troy Hunt, creator of “Have I been pwned”, gives a virtual keynote that explores how security threats are evolving - and what we need to be especially conscious of in the modern era.

In this keynote, you’ll learn:

Real world examples of both current and emerging threats
How threats are evolving and where to put your focus
How to stem the flow of data breaches and protect against malicious activity

and much more!

Transcript
Cindy Ng: Troy Hunt is a world-renowned web security expert known for public education and outreach on security topics. And we recently invited Troy to give a keynote on the modern state of insecurity.

Troy Hunt: Where I'd like to start this talk is just to think briefly about some of these, sort of, conventional threats that we've had, and in particular some of the ways in which some of the just absolute fundamentals of InfoSec we're still struggling with today just as we were yesterday. And I wanted to kind of set a bar, and this will be...as you will see in a moment, it's kind of like a very, very low bar. And then we'll have a look at some of the newer things.

I was looking around for examples and I actually...it's always nice to talk about something in your own country where you've come from, so I wanted to try and find an example that showed where that bar was. And very fortuitously, not so much for them, we had a little bit of an incident with CommBank. CommBank are pretty much the largest bank in the country, certainly one of our big four banks. As part of our royal commission into banking at the moment, where all the banks are coming under scrutiny, there was a little bit of digging done on the CommBank side and they discovered that there had actually been an incident which they needed to disclose. One of the reasons it's fascinating is because banks are, sort of, the bastions of high levels of security. So we have this term, we literally have a term, bank-grade security, which of course people imply means very, very good security, not always that way but that's the expectation.

So CommBank had to disclose a bit of an incident where they said, "Look, we're decommissioning a data center, moving from one data center to another and as part of the decommissioning processes, what we needed to do was take all the tapes with the customer data on them and send them for destruction. And what they've done is they've loaded all of the tapes up onto a truck, I've got some file footage, here's the Commonwealth Bank truck. So all of the tapes are on the truck, the truck's driving along, they're taking all the data from this one data center and they're going to go and securely destroy it. Now, there's about 12 million customer records on the back of the truck, and it's driving along and it turns out they may have put just a few too many datas on the truck and some of it fell off. And this was the disclosure, like, there was some data that was lost, it might have fallen off the back of the truck.

And there was literally a statement made by the auditors, I think it was KPMG that audited them, they said, "Forensic investigators hired to assess the breach, retraced the route of the truck to determine whether they could locate the drives along the route but were unable to find any trace of them."

And I just find it fascinating that in this era of high levels of security in so many ways and so much sophistication, we're still also at the point where data is literally falling off a back of a truck. Not metaphorically, but literally falling off the back of a truck. Possibly, they couldn't find it again so maybe it didn't fall off but they were the headlines we were faced with a few months ago.

So it's interesting to sort of keep that in mind and you'll see other, sort of, analogous things to data falling off the back of a truck, perhaps in a more metaphorical sense, every single day online. I mean the canonical one at the moment is data exposed in open S3 buckets. Going back to late 2016, early last year it was constantly data in exposed MongoDBs with no passwords on it. So we're leaving data lying all over the place, either digitally or potentially even physically in the case of CommBank.

Now, moving back towards some more sort of traditional InfoSec threats as well, one of the interesting things to start thinking about here is the monetization of pipleline. So what are the ways in which our data gets monetized? And this is where, I think, the history is quite interesting as well because we often think about things like ransomware as being a very modern-day problem. Particularly, I think, last year was probably a bit of a peak for ransomware news just seeing consistently everything from hospitals to police departments to you name it, was getting done by ransomware.

We're seeing this happen all the time and we do think of it as a modern internet-driven problem, but ransomware also goes back a lot further than that as well. And this was the AIDS Trojan. This dates all the way back to 1989 and this was ransomware which would encrypt the C drive and you'd need to have a private key in order to unlock the contents of the drive.

There was no bitcoin, of course, you've got to get an international money order, make it payable to PC Cyborg Corporation, and then all you do is you just send it off to this location in Panama. Imagine this as well, right, you would have had to actually put the check in an envelope and then it would go by trucks and planes and boats, and whatever else, eventually get there and then, I guess, they would open it and cash the money and then maybe send you back a key. It sounds like a lot of labor, doesn't it compared to ransomware today? But this was a thing so there was ransomware going back 30 years.

Now, of course, it didn't distribute via the internet in the late '80s, it distributed via envelopes and this was literally shipped around, I guess in this case, in like a 5.25-inch floppy disk, quite possibly. And you'd get this in the mail, and maybe this was like the olden day equivalent of finding a USB in a car park, you know? Like, something just turns up and you think, "Oh, this will be interesting, chuck this in and see what happens."

But this was a problem decades ago and it's still a problem today, and this sort of speaks to the point of the modern state of insecurity is very much like what it was many years ago as well. But of course, due to the internet and due to the rise of cryptocurrencies, the whole thing just works far more efficiently at least on behalf of those breaking into systems.

But what this also does is creates a bit of an economy, and there's an economy around ransomware, not necessarily just for bad guys because by encrypting devices, and of course many organizations not having appropriate backups, it also leads to an economy in organizations that would help you get your data back, proven data recovery or PDR, 97.2%. And that is a pretty impressive success rate because we often think of ransomware as being very effective, and very often it is very effective, it's good crypto that you actually need the key for.

And occasionally we see smart researchers manage to break that and provide keys publicly to people, but very frequently it's very effective ransomware that's hard to get access to. So it makes you wonder how an organization like this manages to achieve such a high success rate. And we did actually learn how they achieved it. The FBI said subsequent investigation confirmed that PDR was only able to decrypt the victims' files by paying the subject the ransom amount via Bitcoin. And this is a kind of another one of these really multifaceted issues which I struggle with mentally. And I'll explain why. On the one hand, I struggle with the fact that someone is paying ransoms, because I think within all of us we don't want to feel like you ever should pay the bad guys, because if you pay the bad guys they're just going to continue being bad and it legitimizes their business.

On the other hand, I can also understand why organizations get really desperate as well. We've certainly seen a lot of ransoms paid and almost, unfortunately, we've seen data recovered as a result of that. So the economics of paying the ransom are often very good on the victims' behalf regardless of where it sits morally with you.

But because the economics are also very good, it legitimizes organizations like PDR that were charging people the ransom to get their files back. And I'd actually be curious to know if you're gonna pay the equivalent of the ransom anyway, why would you pay PDR, why wouldn't you just pay the bad guys? And I suspect that maybe it comes back to that sort of moral high ground, we don't want to legitimize the business, let's pay a professional data recovery organization to get the data back for us, and then we get the end result without sort of legitimizing the business. And I think the bit here that sits really badly with people is that there was obviously some level of deceit going on here where PDR was saying, "Look, we'll get your data back for you." And then they just went and paid the ransom. I would imagine that they actually mark up the ransom as well because they've got to have a margin on this thing, either that or they somehow managed to negotiate it.

So that's a sort of curious indictment of where we're at today insofar as we've had ransomware for decades, it's still here, different problems now but still very, very effective in creating this other ecosystem around monetization.