When security firms get hacked, and your new North Korean remote worker
30:38 Share

IT wasn't helped, of course, because solar winds had been advising customers to disabled any anti virus before install in its software. In retrospect.

maybe not the best voice.

maybe not the best, but that one looks that good. yeah.

Smashing security episode three hundred and ninety when security firms get tacked and your new north korean remote worker with Carol tario and gradually, hello, hello. And welcome to smashing security outside three hundred and nine.

My name's w luly.

and i'm CarOlina ario cw. A much Better voice this week. Are you feeling Better?

I am. And i'm getting my sense of smell and taste back. That was a bit of a shocker. Not fun.

I didn't know you had any sense of tie ever. It's A A extreme waking up with you. You call me on the sorry.

I don't mean .

to bully you now I A busy week. I went off to norway. Yeah, I performed on the stage yet the old low, or perhaps I hear .

it's very beautiful.

He's starting the old slow crowds. It's an incredible piece of architecture. Really, really cool. Looks like a bond villains layer. But I was terrific being there and meeting some fans of the pod as well. Hope you enjoy your stickers.

Hi five, you all. Now let's kick this show off and think this week's wonderful sponsors, one password and fanta now coming up on today, show grand.

when he got, i'm going talking about when inside the security companies .

get hacked you and i'm gonna k about when a new remote higher does not work out as planned. All this and much more coming up on this episode of smashing security.

Now, charms, charms, i'm gona start off today talking about a hack which happened a few years ago, the hack of solar winds. Cw, you heard of solar winds? Yes, course you have.

There was huge, huge. And they are a huge company. There are five billion dollar company.

They manage network infrastructure for well. Just about everyone over four hundred and twenty five of the U. S.

Fortune five hundred are using this software. That means the top ten U. S.

Telecoms companies, all branches of the U. S. Military, the department justice, the U. S. Presidents office, the top five, counting perms, microsoft, google, elise goes on and on and on. And their problems began when some of their developers left their github repository, the place where they are put in their source code.

They elected open to the public, to the entire world, which isn't a good idea, is IT too well, is that I can be right, leaving your source code up, and maybe not if your source code includes a hard coded plain text password for one of your company's update service. That's not so good. As IT not surprise. No.

you wanted to do that if you were a company.

No, no bad enough. What's even worse though than revealing your password is revealing its a really, really bad password. I can't .

remember what I was. So the .

company's name is solar winds and they have password to their updates. I was just ever guess .

I guess is that solar winds with some zeros .

and ones you're so close, the password was solar winds one, two, three.

Yeah not that .

great as we all know. Um have a properly strong pass. What you d need to have an explanation mark, on the end of that.

So solar winds, they took an interesting approach when they were chAllenged about this. In fact, a member of congress, kt porter SHE, went viral briefly when he spoke the solar wind CEO about elsewhere. Look familiar to you.

Yes, solar wins one, two, three. Is IT true that some servers that your company were secured with this cracker jack password, solar wins one, two, three. I've got a stronger password then.

Solar wins one, two, three to stop my kids from watching too much youtube on their ipad and the solar wind. C. E, O, he responded by saying, well, IT wasn't really affluent and he blamed IT on an intern.

No.

congressman. I believe that was a password that is intern used on one of his, get her service back in twenty seventeen, which was reported to our security team. And IT was immediately removed.

Growth not good.

And the problem was these chinese hackers broke into solvents. They exploited their access to the update server and created a malicious software update called sunburst that mware was installed via the booby trapped solo in software update. IT then SAT around waiting for round about two weeks before doing anything malicious.

And then when IT triggered, IT disabled all anti virus software forensic tools to try and stay undetected. And IT started looking for other vulnerabilities to exploit on your network. And ultimately, as many as eighteen thousand of summer solar winds is, three hundred thousand customers installed this military sub date, and they were now compromised with a remote taxes. And and eighteen thousand, you may think.

could have been much worse.

I remember the company is, yeah, the organization, this is nato, the U. K. Government, european parliament, microsoft organizations. And the hackers hung around undetected for up to nine months.

S in all .

of these organizations steal information, gaining an authorize access to data in email accounts. Huge data choice is one of the biggest hacks in history, one of my serious security breaches. And IT wasn't helped to, of course, because solar winds had been advising customers to disable any anti virus before install in its software. In retrospect, CT.

I made me not the best of race.

maybe not the best, but I doesn't look that good. Yeah doesn't look that good.

nobody. Also, you can understand how big have been working in a certain way for decades potentially. And everything's gone tiki boo. And they have the certain little back doors in place and they're there for a very good reason as long as they're kept stone and all this. And i'm sure many companies do this and it's not smart, you know because when this happens, it's a real shit show.

Well, yeah, it's not start publishing you .

was obviously error by design.

I'm not sending of deliberate by any means and of course, organizational like governments, uh, like big companies, like the U. S. Presidents office, whatever they do rely upon security companies in cyber companies pushing out updates and sometimes they will kind of Green like those updates rolling. Now we saw that with a big crowd strike out tech. Earlier this year, we were basically .

saying that companies need to be paranoid all the time, but like how paranoid can you be in run a business? So it's complicated.

it's difficult, but we are putting a lot of trust in these companies. So this happened back in twenty twenty. This huge data breach caused by this supply chain attacks.

So why am I talking about this today? Gram, is that the other founding, the other good stories in the last four years? Well, the reason is because there's been a development because although the breach cheapening in twenty twenty, there are now some other big cyber firms which have been called with that tries down as a result of this breach. Cybook ity firms like avia, checkpoint mdc, ast and this have just been fined by the S E C, which says they try to brush the impact of the solar winds, hack, the impacts that hack had on their companies under the carport, so that you were customers or solar winds who got affected by this were breached, but they weren't fully transparent about what happened. And they are now facing millions of dollars worth of fines as .

a consequence. So they got data stolen as well and didn't report IT exactly.

I didn't reveal all of the details of what what's going on. Instead, they tried to sweep under the rug. Hope no one would notice.

The giant club of digital do do that. They fight in there, so is big. It's a bit like hide in the corpse. I don't if you've ever hiding the corpse crew, no, no.

don't try and hide IT under the car.

not even for halloween. No, because stumble IT, it's tRicky. You've got to hide IT properly. So for instance, survey, they played IT cool. They said few intern emails were access yeah actually the hackers had helped themselves to at least one hundred and forty five files in their cloud storage. So what did you a bit more seriously?

So they never told customers you but that their data had been like, right is super note too.

So then there was my cost as well that apparently didn't even realize that they had been hacked until a year after everyone else. So the security company obviously heard about the solar wind's breach, didn't recognize that even though we are a customer, didn't recognise that IT had actually fAllen. Fail a bit till twenty twenty one a whole year later.

You, to my face time for you don't like this.

do don't like, no, you don't enjoy this. You find this really uncapable. So in the case of checkpoint, IT said that they try to minimize the attack. They failed to disclose the nature of the code which the hackers had stolen, and the quantity of cryptic credentials that access as well.

You see, people go too far.

Well, the hack is went too far. Yes, it's therefore really is ultimately therefore course IT is like it's it's then the security company for not being honest about what happened. Is that what we preach to other victims? Be transparent with your customers.

Hope they don't beat you up too much. That's Better than doing a cover up university. They described the risks of the siber security breach as hypothetical hypothetical well, this particular hypothetical breach at union is actually stole gig bites and gigabytes of data which walked out the door and hypotheses tics.

It's a bit like dating a volcano and saying, you know, h this fire thing that's a bit of a hypothetical al risk in IT. No, it's not a hysterical risk which is surrounded by flames and fire and lover. It's a bit more than that.

But now they are paying the Price. Universities have been told to pay four million dollars in civil penalty a via one million dollars checked nine hundred ninety five thousand dollars. I don't know why five dollar about mine cars are going have to pay nine hundred and ninety thousand dollars yeah. But there's also been damaged done to their brand reputation, of course. And there will be customers would found out about this after the fact who will be very, very knocked off .

yeah because you put a lot of trust in security companies because you know they also sited a low level on your systems. They have access to a lot of information in order to make sure that is safe.

and they are supposed to be the expert. These companies, right there, are the ones we trust to keep our day to safe. And yet they don't seem to know how to handle a security breaches themselves.

Most companies would try and down play IT, and it's sad, but i'm trying to think they would wanted to escape that line between honesty and keeping everyone calm so they don't have to deal with huge you employee going crazy and customers going crazy.

But unfortunately, one of those things where you kind of should be telling people, shouldn't you be even if it's bad news? It's like, i'm sorry, there's some bad news. It's a bit like if granddad dies, right?

If granddad dies, it's upsetting to everybody. But you've gotta tell the grandchildren at some point that granddad isn't gonna around anymore. You can't do a weekend bernies and protect that you still alive.

I agree.

For watch your story press this week.

Okay, okay. So no big surprise. The whole covered pandemic thing revolutionized remote working, and there's like a huge increase in remote workers on our lab.

Report says that sixty plus percent of workers age twenty two to sixty five in the states say they were remotely, at least occasionally, and that's a huge increase from prepare delic times. And remote workers are also apparently more productive. They attributed to your distractions, reduce commuting time and comfortable working environment. Would you agree with that? Do you think you are more productive in a home environment that you would be an office environment?

It's been so long since i've worked in an office and environment. I have been over ten years for me at home. I love working at home, but maybe I love all of the distractions and being able to nip out for a walk around the park whenever I like, rather than having a bus breathing.

Dominic, there's a thing employees like IT, too. Another report found that ninety eight percent of remote workers would like to continue working remotely, at least part of the time for the rest of their careers yeah and IT seems like it's good for employers too, because remote work has enabled companies to tap into the global talent pool. Like gardener survey indicated that like seventy four percent of cfs planned to shift some employees to remote work permanently just to leverage the benefits of diverse and widespread talent.

Unless office spiced after rent or maybe you can downsize your office because people only come in once a week, you could stag them for different that you know there's all kinds of big financial reasons why this could be attractive .

to businesses too. Absolutely so. So all this gives employees more choice over where where they can live without having to compromise the careers because they can work from anywhere while employers no longer need to stop their search for talent at the national borders.

So win, win, win. When a firm finds international candidate for a contractor position, they have open and this person has the right profile on the right to kill ls set. It's really smart to get your skate on because that resource won't be sitting on side lines for long.

But despite best intensions, things can go wrong, and sometimes very, very wrong, as I did in this case. So a company based in either the U. S, U K. Or australia, they've chosen to be anonymous internationally for reasons that maybe become clear.

okay? So a company on planet, a company on planet, I don't know what they narrow. Why did they bother narrow when they did that much?

It's so interesting as IT. So they find this strong candidate for a position for a ninety position and ninety road. And they go through all the interview hoops and chest on board this provinces, new consulting and then of course, you know tools, tech and access is shared and work begins and the initial month pass and IT. Sometimes around this point, if you're an employer that you might realize that the candidate is not the might not work out. And this might be because despite the employer's best intentions, there's just not a good fit that might be what work qualities low or there's poor communication or they show up naked up for a video call and break the rules or whatever.

Yeah one of those I won't say which one, but one of those is often been the issue with me when i've started a new job.

Now in this in this specific case, the company cites poor performance and this LED to the contractors dismissal, fair enough, and know the firm seems to decide to cut its losses and terminate the relationship of the consultation because he wasn't doing the work properly. And that should have been the end of that, except that following the contractors dismissal, the company starts receiving emails with attachments containing evidence of stolen data, stolen data from their very own systems. And then the firm receives an email demanding a six figure, some encysted currency for the information not to be published.

Your sold online, right?

All I did I mention that this contractor's employment history in cv were totally bogus IT. Turns out the contractor, the person posing as the contractor, was actually from north korea.

Now that makes things a bit. So this isn't just a disgruntled employees a bit paved that he's he's been given the boot. This is someone who may be came into the organization with a certain intention right at .

the beach is very well, sad. yes. So basically this company accidently hired a north korean IT worker for a remote job.

The worker stole data and then tried to hold the company to ransom after being fired. Now it's not new. The north korean workers attempt to secure jobs in the west. The FBI previously said that there are thousands north korean IT workers posing as non north koreans to get remote jobs in the us. In order to fund money back to the north korean state.

Yeah, i've been reading just recently on my the laybach created. I've been reading the laziest by jeff White. And there's so much about this their attempts to I mean, this is obviously on a smaller scale perhaps than some of the other hacks which they have attempted, but is all about getting the crypto currency and well.

secure works told business insider that its countered threat unit uncovered the activity after the unnamed firm k you get U S. Or australia received the the extortion demand. They identify .

that the activity but they aren't too to which country has happened yeah, great. And we don't know if .

the company paid or not. There's no information on that. But you see many companies would be prohibited from paying a ransom because of the international sanctions on north korea.

yes. However.

salaries received via north korean fraudulent IT worker schemes are attempt to bypass these sanctions in generate revenue for the country.

right? So how does IT worked? Is IT? Is IT that they would, for instance, set up A A bank accounting the U.

S. Use australia, and they get paid into that. And then they convert that into cyp t to currency foot transportation back into north korea APP.

So you may have a handler at middle right to collect the, you may have a us. Address and say yes and me, all the all the tech here to the U. S.

address. Thank you very much. yes. Now this specific instance, however, with slightly different set, secure works no longer. They just after steady paycheck, uh, they say they're looking for higher sums more quickly through data theft, extortion from inside the company's defences. And they recommend that companies implement rigorous identity verification procedures, conduct face to face or video interviews, and be vigilant for suspicious request, just as efforts to redirect corporate I T, equipment to a proportion home address.

This is the thing isn't, even if you don't interview with somebody, IT may be a different person, news actually do in the job, so they may have some some sort of front person, whether IT be on a zoom call, or less likely, perhaps these days, doing IT across the desk who passes the interview, oh, thank you. You are absolutely wonderful. And then the north korean chap take over for the actual hacking and the infiltration of the data. And you know.

the thing is that IT opens up another kind of worms, because there are scams on both sides. Employees can be scammed right by fake companies that are trying to get their details, and employers can be by fake employees. So, you know, employees are told to be very careful about sharing details with new companies into l are completely sure the company's legit.

I've seen advice like chic, the company has a legit website check that has a company email address check, its linton profile. These are all easy to create. E yes.

And on the other side.

we've got firms who are wary of hiring scams and they're told to vet much more stringently. And while these additional steps are necessary, IT hampers good people from finding good jobs. That legit or conversations do you see what I mean? Because both sides are going.

Verify your identity. Send me your passport. Send me your banking details in the employees like, no where you match. Show me your legit yeah .

I think you are right. If we were being interviewed for a job and they asked us to jump through too many hope so at a certain point, again, you know what? No, we're not doing this. You're just too hard to work with, you know we we want to be a bit more relax, guys.

Yeah um apparently amazon has Mandate ed by anyway twenty twenty five. Every worker has to be back in the office full time and there is a huge outcry something like seventy percent are saying you're looking for new work because of IT.

Yeah well, can you imagine what it's worked like working in an amazon office?

No, I mean, yeah, I think most people are now like going, god, how did we work full time in offices before? How did that happen every .

time in your look breaks?

To the whole point here is remote working has its costs too, especially when you're splashing around in international waters. Everything gets a little bit more complicated. So no, I don't know. Guess the advice take kid.

Whether your austerity not scaling your company's security program demonstrates in top note, security practice and establishing trust is more important than ever. Venter automates complaints for sock to I saw twenty seven O O one and more, saving you time and money while helping you customer trust. Plus, you can stream line security reviews by automating questionnaire and demonstrating your security posture.

A customer facing trust center, all powered by venter A I over seven thousand global companies like at latian flow health and cora, use venter to manage risk and prove security in real time. Get one thousand dollars of venter when you go to venter dotcom splash smashing. That's venter dotcom flash smashing. The one thousand dollars of.

Quite question. Do your end users always and I mean always, without exception, work on company owned to devices and I T approved? I didn't think so.

So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged and devices? Well, one password has an answered to this question, and it's called extended access management. One password extended access management helps you secure every signing that every APP on every device.

Because IT solves the problems. Traditional I A M and M D M can't touch, go and check that out for yourself at one password dot com slash smashing. That's one password. Don't com slash smashing. And thanks to the folks of one password support in the show, and welcome back and you join our favorite part of the show, the public show that we'd like to cool, pick the week.

pick up.

Because the week is the part to show where everyone choose this look like could be a unna is a book that they were A T, V show, a movie, a record podcast to website or a nap, whatever they wish. IT doesn't have to be security related.

Necessary, Better, not.

Well, my pick, the week, this week is not security related. My pic, the week, this week is a documentary which I watched on channel for. The documentary is called undercover, exposing the far right.

And this was a fascinating documentary film I watch last night following the work of the campaign, n anti fascist organisation hope not hate and their members track down far right extremists, go undercover and infiltrate organizations. wow. And this is the first time hope not hate has allowed cameras to follow its undercover team.

And I think IT really interesting, because it's easy to think of far right protesters in stereotypical terms, right? I imagine someone, you know, skin headed, angry louts much, and around shafting abuse of people who want to White. But one of the things that came across to me while watching this documentary is the puppet masters of the movement, the people at the top, who in some cases were sort of like canberra university educated, very well spoken, who weren't necessarily beating up people on marches.

But instead we're trying to form in the elite group of people obsessed with uji ics with the potential to influence people in power. And in this particularly investigation, these people were looking for like minded millionaires to fund their right wing, racist agenda. And so we had this Young journeys.

Harry shook man. He went under cover. He'd never used a hidden camera before, but he went undercover. He posed as someone who'd come into a lot of cash and was looking to invested, and he pretended to be racist and started to find out more about how this far right group was Operating and structured, what they are up to increase. Ally, critically, who their mystery other mega million tech investor was. So there was someone else and who would also put a lot of money behind this particular movement.

It's kind of like social engineering with these investigative journalists are doing, in this case, a little this whole undercover stuff. It's like it's basically the same thing.

Yes, not social engineering digitally perhaps, but in real life. But I would imagine absolutely petrifying IT was nail biting to watch. And and of course, we recent had newt break of racist rights in the U.

K. Which this movie covers as well. And this organization, hope not, hate, help to identify some of the people behind that.

So really interesting documentary, said, I watched IT on channel for streaming in the U. K. IT was supposed to, shown in the last few days at london film festival.

And IT was pulled at the last moment due to safety concerns, because threats had been made from, you can imagine, the usual suspects about the airing of this documentary. Anyway, I would recommend IT really good documentary, which was quite lightning. And that is why undercover exposing the far right is my pic of the week, not love, laugh, I O I.

A worthy one that I think you'd .

find the interesting. Come here.

What's your pick the week? Okay, I may be breaking the today, and i'm doing IT with the full knowledge that I have had this pick .

of the week before. what?

Yes, yes. Deal upon spooky time of year. And you know, the elections in the states are coming also.

Pretty scary. Pretty smokey. yes.

So I thinking, what know what is the scarious movie that i've ever seen? Do you an answer? I ask you?

Scarce movie i've ever seen? Or probably something like a doctor who in the seeds of doom from nineteen seventy, I think IT was that's pretty scary. Okay, what's scarious move? You've seen the shining in.

Thank you for asking. No, the one nine hundred and seventy three movie be exercise. Definitely the serious move ever saw. Go, hands down.

IT may have been to do when I saw I was way too Young, but every watched IT in its uteri chilling, but even more chilling than the exercise is the BBC documentary that I watched last year about the making of the exercise, the fear of god, twenty five years of the exercise. This is with mark commode. He's a talented, engaging U.

K. Based film culture. The documentary blew my mind because a lot went wrong in the making of the film.

yes. And if you watched the film, IT is scarred, riding your like, SHE looks petrified. And when you watch the documentary, you realize that, yes, he really was. And you realized why?

Because the director was bonk IT was IT Willy freely. He was meant .

to be bk was a yeah uly bunkers. So this was my pic of the week back in episode two, nine, four. It's my pic of week again on three, nine o because it's that good a documentary.

But as a bonus, i've also put a link to a short eight minute essay on the exercise for mark commodes podcast commode. And mao's take is a great resource for film. Buff s, it's like five hundred episodes or more. So there are podcast veterans like us.

clue. So i've never watched the exercise quite intentionally. I've avoided IT because i've heard IT IT. IT doesn't really appeal.

And I watch the documentary.

I'm a little bit scared. I am interested in the documentary. Documentary was great, but I wanted to know, okay, you say that scary. Have you seen doctor who in the seats of doom?

nowhere.

Plants taken over the world is really scary. Well, that just about wraps up the showers this week. You can follow us some twitter at smash insecurity no g twitter g and don't get to ensure you never miss in our episode follows smashing security in your favor podcast step such as apple podcast ttl .

and pocket cost. And thank you to our episode sponsors van ta and one password and of course to our wonderful patri on community port that helps us give you this show for free episode show notes, sponsorship info, guesses and the entire back catou e of more than two hundred and eighty nine episode des, sorry, back alot more than three hundred eighty nine episodes check out .

smashing security dot com and so next time cherie.

I almost cut up one hundred emphasize just like that, just like, boom yeah slip of the tange who lost hundred .

shows data.