Podcast 101: TADSummit Innovators, Jeremy Turner, Aaron Birnbaum, Bohdan Hopanchuk

Thank you Bohdan for bringing everyone together. The new people on this podcast are Jeremy Turner from TacitRed, and Aaron Birnbaum (TRaViS). They both provide external attack surface management, and bring extensive experience across cyber security and even telecoms. Aaron and I have MCI and BT in common, as they did a joint venture many years ago. We started with Jeremy and then Aaron introducing themselves and their companies. Then moved onto some advice from Bogdan, and wrapped up on a discussion on where to buy critical threat intelligence.

Before we started Jeremy showed privately how easy it is to breaking into telecom operators, fixed or mobile, because of vast number of vendors they use. And the vast technical debt in telecom networks. It’s still possible to telnet into many vendors’ equipment (routers) in telecom networks for real time data.

Telnet, or Teletype Network Protocol, is a network protocol that allows users to access a remote computer and communicate with it using a command line interface. I was using Telnet as a student back in the ’80s, and throughout my time at BT labs. It was defined in the ’70s.

Access to credentials is easy and cheap on the dark web. Credentials are available for $5, to a botnet $20, and then higher for specific access requirements.

Jeremy Turner from TacitRed reviewed how they continuously analyze global attack signals and threat intelligence sources to pinpoint active exposures, attacks, and risks of over 18 million US companies. They deliver:

  • Curated and detailed threat intelligence;
  • Maps and visualizes external attack surface;
  • Identifies and prioritizes attacked and at-imminent-risk assets;
  • Delivers valid evidence enabling rapid threat mitigation; and
  • Increases security analyst proficiency and reduces 3rd party risk.

I asked who are the easiest companies to attack, and Jeremy’s immediate answer is all the big ones. Because of all their suppliers and partners, large number of employees, and cyber security being viewed as a cost center rather than necessary cyber risk insurance. It creates a large attack surface and really is not that difficult to find credentials. From the dark web you can get session tokens which avoids MFA (Multi Factor Authentication).

On the PSTN hack, it’s really the threat actors are no longer hiding, going low and slow. The networks are infested, criminal hackers can be quite open. It’s like a barn, when there are only a few mice, they hide as the cat will get them. Now there’s no need to hide as there’s so many of them, the cat is irrelevant.

Is it just China? No, any nation state that has an offensive cyber security program has access to the US PSTN. Jeremy confirmed a suspicion CALEA (Communications Assistance for law Enforcement Act) is not being used as the route into the PSTN. Criminals can walk in the front door, as it’s essentially open. There are info stealing markets and most telecom networks have well known vulnerabilities. Telcos’ extensive use of third parties in second and third world countries makes bribery easy. Persistent access is not difficult, the PSTN in infested.

If you want privacy, an encrypted messaging app is your only choice. Remember, it’s not just privacy, using your data in real time makes you open to cyber attack. But for the network operator, there’s no a quick fix. That is why a senator said their hair was on fire! It means the doors are wide open. So it’s going to be interesting what the telcos do to be compliant with the FCCs request. Likely, expose the reality and then build from there. Removing Huawei equipment should have been done already, and at this point there are more important steps in removing the infestation.

Jeremy made a great point on awareness. Consumers make a general assumption that security in the PSTN. Unfortunately that assumption is false. There are no standards for enforcement and regulation of security. Businesses have invested where revenue is generated, and cyber security is a cost.

Bohdan shared his experience using Skype and the criminal groups there where he was able to get a free trial account to send phishing to real phone numbers in the US. A free account!! The volume of business is so high, the criminals are happy to bring more potential customers into their services, and charge once they are generating revenue. The scale of the problem is vastly underestimated.

We discussed a number of startups appearing in the messaging space, e.g. Shane Mac. And Cape, that just raised $61M, to build a nationwide mobile network that provides premium wireless coverage and masks personal identifying information like names, numbers, and locations.

We then moved onto Aaron Birnbaum (TRaViS). Aaron explains why Skype does not moderate the content. Section 230 of the Communications Decency Act is a US law that shields online platforms from being held legally responsible for content posted by their users,

Travis is attack surface management:

  • Powerful OSINT (Open Source Intelligence). (OSINT is the practice of gathering and analyzing publicly available information to gain actionable insight)
  • Simplified reporting
  • Dark web monitoring
  • Fast, complete CVE locating. Common Vulnerabilities and Exposures, is a system that identifies and catalogs publicly known cybersecurity vulnerabilities.
  • Secured access for your team.

Criminals do not use original hacks, they use variations on known methods. For example, people tend to use their work emails in lots of places, often with the same password, people are lazy. A search on the dark web can reveal a long list of places that a work email is used, and can be exposed.

Aaron raises the important point that cyber security is seen as a cost center. IBM shared the average cost of a cyber security incident is $4.1M. OSINT (Open Source Intelligence (OSINT) is widely used, and I fully support Aaron’s point on contributing to open source projects if you are using them. This is the #1 complaint I hear from the open source projects that are part of TADS.

Bohdan shared some advice on popular end-to-end encrypted email. Aaron made a good point on self hosted is best, but time and effort is always a limiting factor.

Jeremy added using a VPN, for example 1.1.1.1 from Cloud Flare. Aaron added Telegram and Signal to the list for messaging. The fundamental problem is not enough people care. We then discussed a number of emerging threats, focused on individual ransom attacks. I confirmed with Aaron the improvements in Internet infrastructure have reduced DDoS attacks,

We finished on an interesting question from Bohdan on where to buy credentials as an ethical hacker? The dark web sources are always the fastest and cheapest. BUT that is encouraging the criminals. Aaron gave an example of a company they used as a source of Critical Threat Intelligence. However, because that company was working with dark web sources, they had to sever the relationship. You can not fund the criminals.

This was an amazing discussion. The PSTN is infested, it’s going to take years to plug all the holes. A secure messaging app looks like the best option today.

Leave a Reply

Your email address will not be published. Required fields are marked *