TADSummit Online Conference

TADSummit Online Conference, 16 April, Threat Models and Counter Intelligence

Leave a comment

Bohdan Hopanchuk, a TADSummit regular, introduced his friend Jack Sessions, a Security Researcher (Mobile). Jack was a bounty hunter for the US DSS (Diplomatic Security Service). Helped 12 countries’ security services find and track cyber criminals. Contributes to many open source projects with a focus on mobile security and AppSec. This was an around the world conversation, with Jack in Melbourne, Bohdan in Slovenia, and myself outside NYC.

Jack works on phone / device security, particularly in anti-forensics and counter intelligence. Anti-forensics techniques are used to obstruct or prevent digital forensic investigations. Counter intelligence encompasses activities aimed at protecting a device’s data. It’s a ying-yang situation as to adequately protect, you also need to know the latest techniques to extract data.

You’ll hear about the research Jack performs using a sandbox on the device. Because of his work, Jack like Bodhan is approached by cyber criminals. Bohdan will share the size of spend he sees on fraudulent activities. We wrap up the session with advice from Jack.

Jack ran a podcast that talked with cyber-crime groups to understand why they do what they do. His approach to reach these groups was to demonstrate respect on their skills, without judgement on what they did. He interviewed Maksim Yakubets, a hacker, an alleged leader of Evil Corp and the man behind the Dridex hacking. You can learn more about Maxim here.

The first topic was on phishing / smishing. Which has grown significantly over the past 10 years, and has moved beyond smartphones and laptops onto IoT (Internet of Things) to expand the size of botnets. And IoT devices tend to be some of the easiest targets.

Jack started the discussion on SMS / MMS do not have security baked in, it’s not inherent in the design. There is encryption between the carriers, but not on the device, it’s in the clear. From Jack’s perspective since 2005 attacks using SMS/MMS have ramped up, and it’s simply economics. Cybercriminals are lazy, they’re not going to develop the latest malware, rather use well-known scam techniques with the hope of getting lucky. Simply, the person answers the text / call and believes the scam.

Scam awareness has improved, I’ve highlighted the work of the Australian government in educating its citizens in the Honest CPaaS Review. Jack highlighted the funding for scams is simply through targeting people who do not recognize its a scam. For example, they believed they needed to pay the fine (scam). Scams fund scams.

On mobile security there needs to be a holistic approach. Jack builds solutions for Android and Linux phones. We saw recently a start-up, Cape, focused on mobile security. Perhaps Jack’s work could be relevant there?

Understanding the threat model is key, i.e. what attacks are likely? For a regular person, download Signal, encrypt the phone, use hardware authentication protection such as yubico, and don’t click on sketchy links (which is getting harder).

Bogdan asked about the dark web, and Jack gave an excellent summary, it’s a worse version on Reddit and eBay. The users of the dark web break down into:

  • Users wanting illicit products and services, these account for most users;
  • Security researchers and law enforcement; and
  • People looking for fun / escape.

The conversation then moved onto the risk RCS poses in hiding sketchy links behind a button or table. Rather than the dodgy link being shown in the SMS. Jack sees it as a balance between the attackers and defenders. His solution is a sandbox in a virtual machine, so malware can be discovered there. It’s just one of the sixteen ways Jack’s phone has better security. We’ll discuss more about Jack’s methods later in the year, he’s presenting the methods at a conference.

Jack then details some of the aspects of his project, that is built on Graphene OS, and its security issues, which he addresses. Detailing the custom secure kernel he’s created so the device can run on Tor or the I2P Network. There are similar phone solutions available quite cheaply, <$100, on Telegram groups.

Jack then details the approaches he’s had from multiple groups on his research on operational security, digital forensics, OSINT (Open Source Intelligence). Which comes back to Jack’s first point on the need to take a holistic approach, as to adequately protect, you also need to know the latest techniques to extract device data.

Jack references one of this favorite books, On War by Carl von Clausewitz. The point on energy, time and resources is a good framework for security. Where do you focus? Which leads Jack to ask a question: Is it the fines or data loss that concerns telecoms more?

I gave a personal view in answer to that question as the fines are generally inconsequential for the carriers, and so much personal data has already been lost. I focus on the losses for the carriers’ customers. In the US 41% of 65+ year olds are scared to answer the phone because they are scared of being scammed. I covered this in the Honest CPaaS Review.

This brought up the T-Mobile $33M settlement for Joseph “Josh” Jones, who lost more than 1,500 Bitcoin and around 60,000 Bitcoin cash – valued at $38 million – as a result of a SIM swap attack. The incident happened on February 21, 2020, and was made possible by a T-Mobile employee agreeing to transfer Jones’ phone number to a SIM card owned by the attacker. This settlement will change the landscape for telcos, we’re going to see lots more lawsuits in the US. T-Mobile also got 200k yubikeys for their employees.

The discussion moved onto privacy, and how Jack takes a more nuanced view on privacy, because of AI, What AI lacks is wisdom, which comes from doing and failing. Wisdom is the ability to use knowledge, experience, and understanding to make sound judgments and decisions. We were at risk of heading off into a philosophical discussion, However, Bodhan brough the discussion back to fraud.

Bohdan explained Australia is a target because the average life savings for a family is >$200k USD. Scammers are social engineering across SMS, IP messaging, etc. Scammers are spending $100k daily for traffic into say Australia, about 20 million messages. And it’s not just direct routes, also SIM boxes, and they pay local people who run apps (euphemism is local handset testing tool) on the phone, that receive the international SMS and turn it around as local traffic. Bohdan highlighted its not only adult people that click on a link, it can be children on a family plan.

Bodhan highlighted a strategic issue, that carriers still allow SMS to be sent via SS7. Which is often used for sending phishing. Here is Tim Biddle’s post on Global Titles, where UK’s OFCOM is planning on more stringent regulation.

Jack leaves 2 things for people to think about as they go and in hand:

  • Known your threat model (what are the likely attacks?)
  • Learn counter intelligence to keep your data safe.

Leave a Reply

Your email address will not be published. Required fields are marked *