Stephen Kho, Rob Kuiter, Vlad Ovtchinikov at the 44Con cybersecurity conference
Do you use your mobile phone to browse the Internet when youíre abroad? If you do, you could be in danger of someone siphoning off your data. Weíll hear how in a moment....
But first, email: if an email turns up from someone with a familiar name, and thereís a document attached to it that seems to be relevant, or you work in recruitment and someone sends you a CV, youíre likely to open it. But these documents are often phony and are a virus in disguise. And when you open them on your computer they deploy a malicious programme called a ďpayloadĒ that hijacks the machine.
Graihagh Jackson has been at the 44Con conference where she met Vlad Ovtchinikov who looks at ways hackers use to entice us to open malicious documentsÖ
Vlad - These days, what attackers are moving onto is client side exploitation. Itís when we deliver payload, not directly, not attacking the machine directly from the internet, but we deliver the payload which will infect the system through the email or other means.
Graihagh - So, I open up an email and how might you be able to infect my computer with malware?
Vlad - Well usually, scenarios are Ė we profile our targets carefully. We construct an email within the context of interest of business of the person weíre targeting. In lots of cases, we use documents. It contains some smart code within it which will identify the system that it runs on and then it will execute the payloads and will provide us with a reverse access to your system. This is the primary distribution vector for banking malware.
Graihagh - So, itís literally as simple as opening up a Word document.
Vlad - Yes, it is. From my experience, we were successful, 95% success over that.
Graihagh - So, how do you convince people to open this document because we all know that you donít open emails from people you donít know, you donít trust, it might contain a software. People are aware of that. So, how do you convince them so to speak?
Vlad - It might be from a national organisation and it might be an email sent to you from a trusted address containing something thatís tempting to open. It might be a payslip from the place or organisation. So, there are many different associated tricks to make you want to execute a document and run it.
Graihagh - So, to engage someone, you might say, my colleague 'xyz' salary or bonus and then meant that might be a good way to entice someone. I know I would be tempted to open up a document that said something like that.
Vlad - There are many different ways and techniques we can apply in order to persuade the potential victim to run it. Most of those documents are cleaned up so anti-virus systems that you have installed will not catch them.
Graihagh - So, once you have access, once youíve opened that document, what sort of information can you gain through that?
Vlad - Everything. Everything that the user has access to, even more in some cases, we have more access and control over the box that the user has. So, full access to the userís workstations and the network environment around him.
Graihagh - What sort of examples do you have that might demonstrate the power of something like this?
Vlad - Malicious guys, based underground. so, theyíll be able to fish out credit card details from your computers. Theyíll be able to see their memory. It will inject itself into the browser and will compromise everything you see on screen through the browser. Itíll be able to capture any form submissions which you are sending out via HTTPS. Itís called form grabbing. For example, you visit an HSBC webpage. Everything looks legitimate but before the browser renders up, the html will be able to inject some additional code into it, so whatever you see will be hijacked. There might be additional field added to it asking for your date of birth or your credit card number due to security reasons or whatever. So, everything can be done. Once you compromise the system, everything on the system as well as everything that sits behind it within that work environment is basically a open air.
Graihagh - I've learned a little bit about some of the security issues about what happens when you're at home and in the workplace, but what about when you're on your holidays? Well, I've just stepped outside the conference with Stephen Kho and Rob Kuiters from KPN to talk a little bit about what happens when you're roaming abroad on your mobile phone or tablet. Normally, when you're at home, you're browsing the web. That data goes straight to your network. But when you're traveling in another country, there's an additional network it has to go through and that network is the GRX. Now, youíve both been looking at the security of this additional network GRX. But first Stephen, what sort of data are we talking about here?
Stephen - GRX carries the roaming data part. So, not the voice or your SMS text, but anything you do when you're browsing the internet for example. So, if you log into yahoo mail, Gmail, your Facebook, all data related goes through across that.
Graihagh - What's your work revealed?
Stephen - We discovered actually that so much of the GRX network equipments Ė so the servers and different systems - were fully out of date, misconfigured, missing patches. And so, with easily available hacking tools you could reach it and exploit those systems and then subsequently, you could capture this information.
Graihagh - What sort of information are we talking about? I know we say we've of logged into Facebook, but does it really matter that theyíve seen a few friends and I've written that I like that personís photo on Facebook?
Rob - I think there's more data carried across. Itís not only your content, but also your credentials. So, you're using your passwords. You could access all these kinds of information on this network.
Stephen - On top of that, GTP which is the protocol information, that has your location details. It also reveals what sort of equipment you're using. So, if you're on an iPhone 5S or a Samsung S5, that sort of information is available which means that you can have a really targeted exploit against you if you were the person of interest.
Graihagh - So, itís not just generic sweeping data. Itís actually data thatís very, very personal to you. Surely, thatís illegal. Surely, that shouldnít be allowed to happen.
Stephen - Well, thatís very difficult to say because we donít actually know what kind of legislation or what kind of freedom these intelligence services have. But you can, if you want to, protect yourself by using a VPN solution. So, there are quite a few numbers of applications which you can install on your phone which encrypts your information from your phone towards a server. So, you have additional security measures there. Itís more difficult for them to extract the information out of that traffic flow. Thatís the kind of protection you can take care of yourself.