The Decentralists

Hot Topix: A Hostage Situation

August 09, 2021 Mike Cholod, Henry Karpus & Chris Trottier
The Decentralists
Hot Topix: A Hostage Situation
Show Notes Transcript

Over the past few weeks, we’ve heard a lot about malware. But what exactly is it? For example, major gasoline supplier Colonial Pipeline was shut down after it suffered a ransomware attack. Colonial reportedly paid $5 million in Bitcoin to a Russian hacker group called DarkSide.

Why has there been so much malware lately? Hacking, phishing, ransomware, viruses: they’re all different forms of malware, and they’re all increasing. Businesses, governments, hospitals, and schools are being attacked with more victims each week.

How do hackers turn our own data against us? What can we do about it?

To fight malware, you must understand what it is, and what exactly is at risk.

Henry: Hey everyone. It's Henry, Mike and Chris of The Decentralists and another hot topic over the past few weeks, we've heard a heck of a lot about malware. What exactly is it? For example, just last week, Colonial Pipeline, the largest supplier of gasoline to the US east coast was shut down after it suffered a ransomware attack. Colonial reportedly paid 5 million in Bitcoin to a Russian hacker group, dark side. What's going on with this malware? Hacking, phishing, ransomware, viruses. They're all different forms of malware and they're all on the rise. Businesses, governments, even hospitals and schools are victims of ransomware attacks. It seems that its just gonna become more common. How can hackers turn our own data against us? What can we do about it? In order to fight malware you have to understand what it is and what's at risk. This week on our hot topics episode. It's a hostage situation.


Mike: I love that name.


Henry: Mike. It's very dramatic.


Mike: It is very dramatic. I think it's important to actually kind of talk a it about malware. Yeah. You know, the ransomware is kind of the latest flavour of the month when it comes to this category that they now call malware. Back in the early days, Henry, it was viruses remember? 


Henry: Why don't you start quickly telling us about malware, just general overview, and then let's dig a little bit more deeply into ransomware.


Mike: Sure. Okay. So, if you think about this category called malware, what it is is basically the internet and viruses and hackers used to be way more simple back in the days, they'd call it a virus. You would open your computer one day. You would get a message, or somebody would send you a link. You would click on it and a dancing banana would take over your screen or something like this. It was literally, all it was in the early days was like just a screen cover. Remember? And you'd come in and there'd be like a happy face laughing or something like this and you couldn't get to your computer. Okay and that was where it all started. That was a virus because there was some piece of code that somebody found that they called it a vulnerability. Right and so this virus would infect your system because your system was vulnerable. It would do this goofy thing. Right. It would execute a screen cover that you couldn't get through. Then as you know, I would argue the computer systems got more secure, but, and there were more people on the internet. Right now, what you start to have is there's more hackers and more incentive to hack because there's more people. Then as the security things, you know, get built and everybody starts buying antivirus from Norton and Kaspersky and all of these guys. Then it turns into different types of not viruses. Right. They do different things.


Henry: Yeah and all the while Mike, there's been so much more data.


Mike: That's the other point. Right. That's what I was getting around to Henry. You're very astute today. It is one of those things where if there was not, like basically malware, if you want to think about it, it's no longer about annoying the person who has the computer. Okay and making them inconveniently have to do some kind of a reinstall. What it's now about, malware. Okay. Phishing is a term that basically is somebody sending an email phishing for credentials. Right and then you've got viruses, which infect systems and cause them to fail. Now you've got ransomware, which is a self-executing program that if the hackers get into your network, they send a file to the deepest roots of the server and the database that runs your business and they encrypt it. Encryption basically means that you put a shell around this data and you make it unreadable to anybody who doesn't have the key. We talked about that in one of our education episodes. So if you think about it, a lot of companies and people, humans, right. We talk about encrypting our data. That's what we do to secure it. Okay. If you have the key. So what ransomware is somebody else encrypting your data and they have the key. Now what you've done is you've got this, wait a second, you open your computer up, you come into work, none of your systems work. Then there's a message that pops up on your administrator screen saying, I'm from dark side, press this button. Here's my crypto wallet code. You need to transfer 40 Bitcoins and I will send you the key.


Henry: Okay. Now, hold on right there, Mike. I'm gonna ask you a question that I have been wondering in the last few days after reading everything that's been in the media. Am I right in thinking that when this code executes and it encrypts all their data? A reasonable organization would have indeed a not too old backup elsewhere. That is not attacked. Is that correct?


Mike: Yes. That is generally correct. That would be your standard operating procedure. But sometimes in some of these instances, even the backups are corrupted. Also remember. Okay. So you know what this thing has done if ransomware comes into your servers and encrypts your entire system and they have the key. When you're somebody like these Colonial Pipeline guys, right. Or a retail business, right. Or an education institution, whoever it is. It's not so much the fact that you can restore from a backup. You probably could, but it would mean that you would have to wipe everything that you have first. Okay. Then reload everything that you have, which could take weeks and like literally there were people within half an hour of that colonial thing being announced. There were people like shooting each other in lineups at gas stations. You know what I mean? Cause they literally couldn't get gas fast enough. Cuz it was, you know, the hoarding thing was like people had, you know, with toilet paper at the beginning of the COVID stuff. This is kind of the plus and then minus of things like encryption. Most people think really, really good things about encryption. When most people hear encrypted, oh it's encrypted service. It's an encrypted end to end messenger. It's an encrypted, you know, database and it's your data and it's encrypted. You think that's great. But if you don't have the key that encryption works against you. I've talked to people who basically have had a ransomware attacks and literally in 99% of the times you pay.


Henry: Is that right? Is it that high?


Mike: There's actually companies that specialize in you know, you call them, it's like 24 hour service and they will show up and they will negotiate on your behalf with these Darkside guys or whoever the ransomware provider is. It's actually a business Henry. Like I know somebody that got hacked, get this, they got ransomware attacked. They were a business. They brought in these consultants, the consultants talked to the hackers. The hackers said, you need to send us your financial statements for last year. Oh, as a business, you need to send us your financial statements cuz we want 1%. So we wanna see how much money you made last year. Then we're gonna come back to you with your number you have to pay. Then basically these guys negotiate back and forth over to what kind of financial information they had to provide or what number they agreed on and they paid.


Henry: Oh my. So that's what makes ransomware so scary.


Mike: It literally is a hostage situation. It literally is. Henry. Imagine just simply on a personal scale, if you opened up your computer with all of your photos, from your family and everything, all of that stuff from years and years past. All stored, conveniently on that big computer and backup drive you have. Then you come in one day and it's all locked and somebody tells you, Hey, Henry, it's time to buck up a Bitcoin and by the way, a Bitcoin right now is $40,000.


Henry: Well, okay. So how do you protect against something like ransomware?


Mike: Well, Chris, what would you do?


Chris: I honestly have no clue.


Mike: There's nothing you could do when you're ransomed.


Chris: I mean if they've got root, frankly, they're my daddy.


Mike: Yep, exactly. Time to go to Coinbase and get yourself a wallet.


Henry: It's kind of like if someone kidnapped a member of your family,


Mike: What choice do you have? Well, this is the thing. Right? So the idea is I would argue that, you know, the choice you have is to try to minimize your footprint.


Henry: What do you mean?


Mike: Well, I know from another friend of mine who got ransomware attacked, that what happens is. In any day in a business and the bigger the business, the more this happens. People come in, there's new employees. There's people that leave. There's people that are promoted to different levels of access. There are consultants that come on and need to be able to access the corporate systems, right. For a certain amount of time or whatever. Okay. So every time that happens, the company creates another username and password. Okay and they assign a level of access to that username and password and they give it to a user. So if I'm somebody who comes into a company and I'm hired as a consultant to work in the IT department to help them do some project. Then I leave the company when my project is over, it's up to the company to take that set of credentials, that username and password that are assigned to me and disable them. Okay. So this instance, I'm talking about, a consultant left the company two years earlier, got somebody sent a phishing attack pretending to be the company and somehow managed to convince this person to cough up those credentials that they had two years ago.


Henry: Are you talking about despite the fact that this consultant was no longer there?


Mike: Was gone and so this was a case where somebody forgot to make a check on a box that said disable this consultants' credentials, and they were live for two years. Okay. So, this phishing attack goes out, they get this set of credentials and then they use the credentials. Okay. So, if there was no username and password, like probably a large number of these ransomware attacks and definitely the majority. If not all of the phishing attacks would not be successful because there would be no credentials to use or exploit.


Henry: Okay and hold on, could you just explain phishing again? I think most people know it, but maybe some don’t.


Mike: They call it phishing because what people do is they'll use an automated email program to literally send a spoof email that says, this is DHL. You have a packing thing, blah, blah, blah, log in here to your DHL account and accept the package.


Henry: So it looks completely legitimate. The point is, if you're an employee at a company and you're kind of new and you get something that looks like a legitimate company email, it's natural to click on it.


Mike: Well, this is what happened six, eight months ago. Maybe even COVID, a year ago with Twitter where basically some hackers and it was apparently some like 14 year old kid hacker in Florida sent about a hundred emails to a hundred Twitter addresses that were of people who worked at Twitter. He pretended to be from Twitter's IT department saying that he needed their credentials in order to go into their account and adjust the securities settings, that it was a new corporate policy and he literally got control. Chris didn't even go in. Isn't that the one where he went in and they basically used this to go in and turn off all of these blue check accounts, like Obama and all these guys?


Chris: He did something worse Mike. He took control of blue check accounts and he promised a whole bunch of people that he would be sending them Bitcoin.


Mike: Oh, that's right. He pretended to be Elon Musk. He took over Elon Musk's account or something.


Chris: Yeah. He did and Barack Obama's and a whole bunch of other A-list celebrities.


Henry: And he was just fooling around as a 14 year old kid.


Chris: I don't know about that. I think he knew what he was doing. I think he wanted to get rich quick and to be real he got himself a half a million dollars worth of Bitcoin within 24 hours.


Mike: Geez. Well, and I mean, that's crazy.


Henry: If you can sell it, you could make money.


Mike: Well, and that's another part of it, right? Like that's another thing that a lot of times gets missed in the articles about this dark side hack on the Colonial Pipeline, right. Dark side is an organization, because they're on the dark web, right. Which, you know, is basically lead just a web that doesn't have any security on it, but they run their, it's like a business. Like you go there and there's like a PayPal link almost and you know, all of this stuff. But one of the other things that Darkside does, not only do they hack people and install ransomware and take them hostage, right. They sell the tools so that other people like a 14 or 18 year old kid in Florida can go and hack and pretend to be Elon Musk and make himself half a million Bitcoin.


Henry: Okay. So Mike, get back to the question and I asked you, how do you protect against this?


Mike: You get rid of the username and password realistically, at the end of the day. If you know, almost all of the issues that affect most of us on a daily basis from viruses to phishing attacks, spam. You know, like all these emails you get that are garbage, right. You know, things like ransomware, all of this are all based on this foundation that has been kind of poured over the top of the bedrock of the internet, which is user identity and access. So all of these websites that have based their business model on collecting data on their customers, or, you know, their users or their community have a layer on top that is these credentials, username and password. That is the thing that gets you in the door and literally Henry it's actually in the name. You know, you've heard this adage, there's only two industries that refer to their customers as users. One of them is big tech or tech companies and the others is drug dealers. Yeah. Okay and I was thinking about that the other day and it's actually even simpler. It's called a username, right? So if you have ever gone to a website and if you're like me, you've probably, or to an app where you've entered, a username and a password. Okay. You have created a credential that's identifiable to you and a credential that can be used to get into the system that's behind that. Right. You are not an owner. You are a user. Okay. So even your data is not yours and so in a corporate environment that username leads to a corporate email account. Leads to a corporate admin account on the active directory server or in the IT depart, or it leads to the finance department. Once you're in, you can get around most corporate environments. So if there was no username and password, and you could say, instead of say signing up for a loyalty program with a username and password and creating another vector, that can be attacked. What if you could just scan a QR code?


Henry: Well, hold on, usernames and passwords are about as fundamental as gravity on the internet. Are you serious? How can you be reasonable to say everybody get rid of them?


Mike: Well, because let's think of what a username and a password really is, right? This is the cause of malware and ransomware. I'm trying to like, this is something that's very important. Basically. When a company like Amazon, what do they really want? Hell, let's go Google. It's real obvious. What does Google want? They want the data of what's being searched when people type things into that browser window so they can sell advertising so they can sell and that's called metadata. Okay. So my website, went here typed in shoes. Okay. But when you add a username and password, an account on top of that, okay. Now what you've created is a vector to access the service that is now linked to me. Right? So in a corporate environment, basically, what does a company need you to be able to do Henry? They need you to be able to send an email from the corporate email account and receive emails from a corporate email account. They need you to be able to access the corporate CRM and all of these things. Each of these services requires a username and passwords. So the company has no choice. But if what you could do is you could say, it's not a true username and password. It's a digital certificate. Okay. It's a little like a tag that says Henry is allowed to access this data, but it doesn't actually say, Henry, it's just a link to you. Oh, it's like a digital watermark that allows you to access. So inside now what happens is in a corporate environment, there is no plain text username and password that you have to remember anymore cuz you just scan a QR code with your phone and you access the service. You've never created that account in the first place. It's never been replicated to access all these services. That means you're more inherently, more secure from somebody stealing a username and password because they no longer exist. If you could get rid of, if you didn't have a username and password to anything you owned Henry, none of the stuff that you owned, none of the accounts that you access could be accessed by one of these hackers by stealing your credentials. So the QR code, Mike, it seems like it has some potential. It's kind of a, like a QR code. You look at it. You don't know, it doesn't tell you anything. Well, it looks like a barcode on a product. It doesn't tell you anything, but to somebody who scans it, it tells them something. Okay. If what you basically said was you scan and this QR code and on your device, there was some link that said it was Henry and they allowed you in right then that transaction that allowed you to kind of connect with the email program is essentially in effect the credential that links you Henry to that metadata. The access to the email or the access to the database. It doesn't need to be H carpus xyz.com with a password. Right. It could be a link. A direct link from you to them. That's what we are working on. That's kind of how we want to connect people. Or we are connecting people. Don't use a phone number to identify somebody. Why do you need to, right? If it's you and it's your container and instead of calling yourself Henry car, you want to have a big, long encrypted number string as your name and address. That's fine. You just take that and make it a QR code that somebody can scan. You don't need to have a username and password. This is the basis of what we wanna do and it's how you make connections more secure. But it also has ramifications in how we protect our data and access our data in other services. Maybe we could, you know, instead of industry and business, focusing so much on trying to get us to give them more data so that they can make more money off of it. Maybe there's a way to reach an equilibrium where we control, you know, they can have the metadata, like if I type something into a Google search bar, I'm using their service, let them have that data, but don't let them have my personal address. Yeah, don't let them connect it to you. Exactly. Right. Let them do their business. Let like they can still make money. They can still do their things. They can still sell advertising. They just don't need to have that link. I think what you're gonna see and what you're seeing, you know, right now, things like ransomware is even big companies. Who've spent lots of money on internet security, and all of these things are still being defeated by something as germane as a username and password. Yeah. It's incredible. Right and so people are starting to realize like, maybe it's just better if I just was the one that had control over every way I connected. Whether I was connecting with you, Henry or Chris, whether I was connecting with my employer or the store that I buy my groceries from. Or with my government. Yeah. Maybe I should be the one that just, if it wasn't it easier, if I'm the one that owns, you know, me, and then I just say, Hey, I'm me and you. Yes, Henry, you're welcome. You come to work. I go, okay, great. I scan, and then there's a connection. That's, that's, that's secure and powerful. And it doesn't require me to remember another password or do anything else. Now business gets to kind of say, oh great. I can still work with all of my metadata, but I don't need to have all that user data that costs me so much money to protect in the first place. But still needs me vulnerable to a hostage situation, like a ransomware attack. Right.


Henry: So that's true. Self sovereign identity.


Mike: Absolutely. That's the future and that's how we're trying to fix it for people and for business. I think, you know, the ramifications or implications to malware could be extreme if we just decided to kind of meet in the middle.


Henry: Michael. Thank you very much, Chris. Thank you very much. Now we know a heck of a lot more about malware and it's very scary cousin ransomware. But the way to mitigate is let's move away from usernames and passwords. I like the direction of anywhere. Thank you gentlemen.