Call for Incident Response

866.428.4567

Episode #3 - The Packet Advantage

The White House cyber-workforce initiative, one-ring phone scams and Mirrorthief cybercrime group target online campus stores with card skimming malware. These cyber security news stories plus a deep dive into the Packet Advantage.

Release Date:

Jun 3, 2019

Duration:

25:31


Contributors:

Show Transcript

Intro Snippet

Getting levels, we're good. You guys ready to run? Almost, yeh...What is the packet advantage?

Intro VO

Welcome to the Hash-Time Show. Your weekly review of cybersecurity news and info. This is episode number three. On today's show Dave, Chris, and Jeff discuss the White House Cyber workforce initiative and dive into the packet advantage.

Show

Welcome back to the show. We're on episode number three of our podcast, The Hash-Time show. My name is Chris Vincent, I’m one of your hosts. With me today is Jeff Marshall and Dave Norlin. we're back and we're going to talk about cyber security again this week. Guys what do you think?

I'm ready to talk about cyber security.

I don't know what else we talk about

We can talk about whatever you want Chris.

Getting to Know You

Actually, that leads me in to segment number one we like to call getting to know you, around the hash table, and I want to ask you guys if you weren't doing cyber security, what would be your next industry you might be in? What excites you? It could be anything. Jeff I’ll start with you.

A billionaire on the beach, I don’t know.

[Laughs]

Thats not an industry. So last week you told us about how you love IT, that you have been doing it for a long time.

But yeah, so I actually started going to school to be an architect. So that was kind of my original career path was you know CAD and architecture and designing buildings.

Okay so, be an architect in New York or San Francisco?

Now I realized how boring that sounds.

You can be an architect on the beach as a billionaire.

There you go,

A beach architect.

All right Jeff. Jeff Marshall, you know CISO / architect, we got that for here on out. Awesome. Dave what about you?

I have too many interests, but I do have two big passions outside of cybersecurity; and that would be aviation, and ancient history. So, I would probably be a test pilot that flies around Greece writing books on ancient Greek things. You know...

Thats very specific.

Thats not an industry...

I know it's a cottage industry right now, but I’m hoping to grow it.

And for me, you know, I guess if I wasn't in cyber; if I had to pick an industry right now. I would probably be in electric, you know either self-driving cars or in this space of you know reusable some of the stuff that Tesla's doing. And I have a friend that works at a bus manufacturer they make electric buses. I'd probably be interested in that space. I think it's a growing industry that I don't see going away. Of course, you know, its funny people say, “oh hey it's green energy”, well there's a lot of coltan that goes into those batteries. I don't know how green it is.

But I think there's a lot of explosive growth for the electric car industry.

That’s a good one.

News

Alright cool enough about that. Let's get them to our next segment of the week; our news section “hashing it out”. So, let's talk about headline number one guys. Let me read this.

Headline #1 - Researchers Weigh in on Trump’s Cyber Workforce Executive Order

Source: https://threatpost.com/researchers-trumps-cyber-workforce-executive-order/144370/

This is a post over on Threatpost.com. They were chatting about one of the initiatives from the government they put out. I'm going to read this quote so bear with me for a second....

Article Quote

"While outlining no specific steps or actions, the order creates a directive to create “a superior cybersecurity workforce [that] will promote American prosperity and preserve peace,” and “strengthen the ability of the Nation to identify and mitigate cybersecurity vulnerabilities in critical infrastructure and defense systems."

Every quote I read from the government is super wordy I have noticed.

Absolutely

So, what is this executive order from the white house saying guys? Dave what is this saying?

Dave - I think there have been several initiatives to create this giant cyber workforce. I think it’s kind of unfortunate, because you really do have one already, and it's called the military. I have some personal background in this. And the theme when I was in, is you work in the Air Force for a little bit, then you get some experience. And you immediately leave and go to a private sector job that's going to pay you twice as much. So, I think if they really wanted to build this cyber expertise and have this body of the people who are ready to jump into these positions and carry out this very important mission. Then they would really devote some time to making sure that the guy's a military stay in the military. Get even better at what they do. Have incentive to be there and be in the service, before seeing these other opportunities outside the military. So, I think that if they just nurtured it....

I would tend to agree you know the number one problem in the in the government sector is dollars, right. They spend a lot of money, but they don't pay a lot of money. You know we hire a lot of ex-military and ex-government individuals, and we find that their salaries are significantly less. You know way back when, a buddy of mine and I decided we wanted to be hackers for the FBI or NSA. And when started going down that path, both being non-military personnel, we couldn't even leave a help desk job to go there, because they just don't pay enough. - Jeff Marshall

Chris - Sure. Well it's interesting right. Because you know the private sector, who are we protecting? We’re protecting usually commercial enterprises. That are out there to make money. It's sort of weird that we wouldn't put more investment into it. And it's almost like our investment on teachers. You know not to get too political, but we don't invest a lot in the guys that are kind of protecting our borders from a cyber standpoint.  So, is there a solution, other than just throwing more money at it? Is there something that, I mean the executive order is out there to beef up the work force. We've seen this with the college campus headline from last week. Is there is there a solution Dave, that you can see your mind, coming from that world?

Dave - I think kind of like Jeff said, you just have to increase the incentives for people. I mean it's easy to say pay people more. But I think it's also a matter of making that schooling, on a on a formal level, more accessible. Right now, I’m not to make it a this a discussion on the price of education, but education is incredibly expensive for people who want to go and get a degree. Be it a four-year or a master's degree, even an associate's degree. There is costs associated with that have to be overcome to get into the workforce. And it may determine what kind of job they choose. So, I think you need to make the return on the investment for getting into cyber security worth it and incentivize that. It has to be beneficial for the people that want to get into that.

Chris - So, this is the question I have; I want to kind of dive into this a little bit more. So, I hear a lot of guys they're really into privatizing stuff at the military sink. I hear that all the time, right. Let's privatize roads, let's privatize prisons, let's privatize schools, and stuff like that. And it sounds great on paper when you talk about it. Well that's cool. We'll get better road service. And they'll be competition and whatnot. And I mean I guess the government messes a little bit with it, they hire our people to go over, and in certain places, where we have a military force. They’re hiring, I don’t want to call them mercenaries. I don’t know what the right term is.

Contractor

Contractors, that's the right term, sorry. And so, they'll hire in contractors, is the solution maybe hiring a company to help run national security cyber security? Is that a possible solution?

Dave - Yeah, that's exactly what the army did. And it was taking place when I was there. When I was getting out of that DOD bubble. The Army just basically said, we're kind of done with training a lot of people who can do cyber security as part of our service. So, we're just going to devote a lot of those resources to hiring contractors and subcontractors. Because a lot of the people who were in the army doing those types of jobs, would then find themselves in those same contracting positions. So, there is some entry points into a contracted position. And yeah that could be a cost-effective solution. But that doesn't really speak to the goal of creating a gigantic cyber workforce that has all this expertise. Really no matter where it's coming from, be it the military or private-sector. You just have to make it cost effective. People look at education as a return on investment. And they need to know they can get an affordable education from somewhere that's credible and be able to make a buck once they get done.

Yes, so that's a whole other conversation, probably outside of the scope of this podcast

Yeh it reaches beyond cybersecurity.

Yes absolutely

Chris - Because I’ve been listening to stuff recently about the cost of education. It's a huge driver right now. We're getting to a point now where, when I was in high school; going to college was the only avenue. You had to go to college. And the message definitely for my parents was, go to school, get a good job at a company thats stable and retire with benefits. That was kind of the messaging when I was going to school. I was born in 83. So, I was going to college around oh ’01, ’02. That was the messaging still. But then we saw some stuff happened since then. With the ’08 market crash. Some of the things have changed in technology. Look at what the iPhone has done to society in the last ten years. And now look at the kids that can create a YouTube channel, and make money while they're still in high school. That would far advance what they could possibly do with a college degree type job. So maybe that's changing a little bit. I mean do you think there's an opportunity for people to get into cyber without having the formal education? Or do you have to have the formal education?

Absolutely. You don’t have to have a formal education to get into any IT industry, you know. I went to college for six months after high school and dropped out. And went to work at startups. And I didn't finish my formal education till later in life when I realized how important it was. And I still feel it's important, but it's not a necessity. - Jeff Marshall

I mean we have plenty of people here that work, that don't necessarily have a formal education. But they have many years of experience and an understanding. So, I don't think it's a requirement. But there's a difference between, a degree and just cyber security training as well right. So, you know there's plenty of training around how to be a hacker, or how to detect things, forensics, you know. All these expensive classes are out there as well, that you know, we send employees to and they cost a lot of money. So, doesn't necessarily have to be a degree-based education.

Dave - Now I think the perspective here is going to be, let's institutionalize it. Let's make it more formal, and all that cost money. And the reality is all this information is out on the internet, that you can go access for free. You can look up some guys YouTube channel, and get some incredibly valuable, and accurate information, and basically teach yourself. But the government's approach is not going to be, okay everybody go watch YouTube, and bone-up on security concepts. It's going to be let's, throw some money at the issue. Let's educate people formally. And I think if they're going to be successful, they need to find a cost-effective, reasonable way of doing that.

Yeah, and I think one of the other key things with this initiative is, nowhere in the initiative does it really spell out anything. It just says that we need this, which is an obvious case.

A bit of speaking to the crowd there.

Yeah, the platitudes don't set policy, it's how are you going to actually do this.

Where does the rubber meet the road?

Chris - I think that one last point on this and I’ll move on. I think the internet's great, and Youtube's great for learning a lot of stuff right. But I think that you can't just go to school on YouTube right. You can’t do anything on YouTube honestly, unless you're super disciplined right. Having a formality, having a curriculum, having a structure, having mentors. Having instructors to be able to guide you, is an important part of going to school. I think you know even if you look at something, like I’m really into guitar right. There's a ton of great videos on YouTube I can learn about playing guitar. But I’ll get better if I go sit with somebody who's better than me, he can show me the road that he went on right. And that's part of what school does as well for you. Working in teams. You just can't get that on YouTube.

Dave - And there are plenty of volunteer groups where, they'll take you under their wing. Even if you don't know the first thing about you know the TCP handshake. There are resources out there to find like-minded people, and get into that you know industry. And to your point, you can teach yourself things on YouTube. I taught myself things just by watching YouTube videos, and reading blogs, and it would have been so much faster if I had someone to ask questions. If I’d known the terminology toGoogle or whatever the case might be.

Let's move on to headline number two guys.

Headline #2 - Fraudsters Targeting Consumers with One-Ring Phone Scams

Source: https://www.tripwire.com/state-of-security/security-awareness/fraudsters-targeting-consumers-with-one-ring-phone-scams/

So, I brought this up guys because, I’m coming into the cyber world, I’m thinking it’s Swordfish and Hackers, and people port injections and SQL injections, header injections... Now I’m realizing there's a lot of really simple kind of scams like phishing. And then this phone hacking, this PBX hacking...

So, let me read this quote here. I want to bring this up from our conversation last week.

Article Quote

"Fraudsters are targeting consumers with one-ring phone scams that exploit people’s curiosity so as to trick them into paying exorbitant fees."

Chris - So, what they were doing here because I actually read this one in detail, is basically they're sending a spoof call, or they're calling from a number that’s international, but it looks local. One ring - hang up. You'll see this a lot with telemarketers. They'll use your area code or use the first three digits of your cell phone to get you to call back. These telemarketers are actually using these paid 800 number, 900 number lines, that's charging your phone and they're making money off you right. So, we talked last week about phishing being like 60%, Jeff you said, of the breaches we're seeing. How prevalent be seeing this kind of phone happenings. Is this happening in business too? I mean how much are we seeing this?

Jeff - This is one of those things that have been happening longer back than you can even imagine. Back in the day people used fake numbers or hang up and you call back, and then they convinced you to you know log in to your computer and things like that. So, these aren't new they've been around forever. I think in the business world you probably get a little bit less of it, but it's hard to detect because it has nothing to do with technology from a network perspective. These people are making phone calls and a lot of people get shy and don't want to give up that they were scammed.

Dave - I don't want I want this to be the second episode of talk about a Google service, but I'm going to do it anyway because its so good. With Google assistant you push the screen call button, and then the AI talks back and says this Google subscribers uses a screening service, please state your name and include a brief message. I get spam phone calls constantly, and I have never had one actually try to say anything to Google assistant, they just hang up. So there has to be some kind of business want for that. Something that kind of automatically screens these phone calls, and if it doesn't exist now, it's probably going to exist in the next five or six years.

Chris - Do you guys remember the 1-800 collect commercials - we had a baby it's a boy. Do you remember that stuff? This is kinda of reminding me of that. Sorry I'm getting derailed here.

I know it's out of the scope of what we do from a business standpoint, you know we're looking at more of the technology with the network right. But it goes back to the social engineering piece. We sort of, or at least me as an outsider I come in and I go, 'this is advanced hacking and crazy stuff', but a lot of the breaches we're finding is human error right. That's a lot of where the fail mode is. So, this is, like Dave said, maybe having a policy in place, or a training in place, where you don’t have to really worry about this happening to you.

Jeff - Yeah, social engineering is fun. I mean, it used to be back in the day where you were just trying to con people or piggyback off of people to get into a building and find yourself to the server room. But it's gone much further than that now and things like this are usually targeted groups that are trying to just make a bunch of pennies off of phone calls.

Yeah definitely. Okay on the next one.

Headline #3 - Mirrorthief cybercrime group targets online campus stores in the US and Canada with card skimming malware

Source: https://cyware.com/news/mirrorthief-cybercrime-group-targets-online-campus-stores-in-the-us-and-canada-with-card-skimming-malware-e1aa4468

We've seen this stuff, the card skimmers on credit card machines, but this was actually happening at the checkout. I mean can you explain this to me a little bit, or provide some color around this.

Dave - Yeah so what they do is they will inject a script into the website, and in this case I think it was named the same as a Google Analytics script. So, when you go through the checkout process, the customer will eventually get to that resource and that resource is named the same as the legitimate resource. So, what happens is they'll insert their credentials, or their payment information, or whatever the case. And then I’d have to see the script and look at it, but it will probably take that information and just pass it directly to the existing script, the legitimate one, and then, in the process, that will steal that information and send it elsewhere. And the consumer will have gone through the transaction never knowing that they just interacted with the malicious web form. So, this is a script injection attack.

How easy is that to do?

I mean it all depends on the website, and how well its locked down. How well you've hardened your payment interface.

Jeff - A big part of application security is making sure they're following OWASP Top 10, and following good practices. These things happen because good practices aren’t followed. So, the more we do due diligence as security professionals to educate developers and add security into the beginning of all these life cycles of software development, that's going to be the key.

I’m catching a theme Jeff, its hygiene, security hygiene.  You gotta keep your hygiene clean.

We have anything else to add on that guys. I guess what I’m starting to notice is that this stuff is happening all day, every day. Constantly across the United States and across the world. There's breeches and injections constantly.

Well it's easy for third-world countries to make a bunch of money now. And as long as we're all connected across this world and it's easier for these people to scam people far away, it's going to occur constantly. It's the nature of the world we are in, and you know in the future, this next war will be a cyber war right. We hear that all the time, but it's the truth. - Jeff Marshall

Chris - Now I’m starting to sound like one of the guys – “you're going to get breached man, you're going to get breached, you better get us”. Starting to sound like an infomercial right. I mean it's true though right. I guess that's the message that I’ve learned. It’s not a matter of if you're going to get breached, it's when. You know you're going to be breached at some point. It's how can you contain it, and how can you posture yourself better for the future.

Dave - Most organizations are going to have some kind of security incident. Be it every month or every year. Nobody's perfect there are always little cracks that things fall through, and you just have to have a plan in place before you get to that point.

Chris - So, guys that's all I had for the news for this week. Let's jump into our last segment of the show of the day,

The HashMap

I’m calling it the “HashMap”. It's our roadmap for success in cybersecurity. We just had a blog post go up, talking about the packet advantage. Why having that packet level detail is superior to just having logs alone. We actually listed seven reasons. CLICK HERE for The Packet Advantage Article. For now, though, Dave I wanted to ask you about that. If you could elaborate a little bit, get into some details. What is the packet advantage?

Logs, just by themselves, are going to tell you how devices respond. They give us a lot of good background information on the how devices are configured, the actions that they took in response to certain types of activity. But packets are going to tell you what actually happened. And that's going to give you a lot of advantages in terms of better alerting, more data to query on, and more depth of investigation that you can set your analysts upon and have them dig into a lower level volume of data. - Dave Norlin

Jeff - So, let's throw this over to the physical security world right. My analogy is, if I’ve got my alarm system, and you came in my house and you left. I know you were in there and that you ran out. But with packets, I know you went in there you stole my damn tv, and you took off with it.

Chris - I got it, so for packets, for the layman out here, me. Logs would be like the old school alarm system that would just beep at you and send some kind of Morse code over to the security company; “hey you have an alarm trigger”. Then we get to the packet level, we’re actually getting video footage of what's going on.

Yeah, I know you came in wearing your blue shirt, and your ski mask. You stole my TV and took off with it.

Chris - Hold on let me diverge Why are the guys in those commercials really good-looking dudes? In these commercials, it’s always the real good-looking guys robbing the houses. They both look like they’re brothers or something. They look really similar. I feel like the guys who rob houses, aren't that attractive.

Yeah probably not. I don't know if you've seen this commercial. I don't remember if it was Wayfair, or one of those guys. Essentially these two guys come in and they fall in love with the couch, and they take the couch instead of valuables. It's really ridiculous.

Dave, sorry did you want to add something? Sorry we are cutting you off, we are talking about commercials and we are off packets.

[LOL}

No se the bank robbery analogy is applicable

Dave - So, to tie it back into one of the earlier news stories we talked about with the skimmer. When they upload that JavaScript file, you might see with logs only, a firewall event that said, “okay we had this incoming post”, you know maybe there's some kind of threat intelligence, or a signature built into the firewall that will detect that. But if you don't have something to compare that against, you're going to have a hard time figuring out what actually was in that request. So again, some devices will capture certain headers, or they'll capture the entire session. But really with packets, you don’t have to compromise. You can have an analyst look at that, and they can look at the entire payload. They can extract artifacts out of that, if need be. And then either replay them in a sandbox, or just read the script and tell you what it's going to do. And then there's zero ambiguity. You don't have to rely on an incomplete log to tell you what took place.

By the way I was wrong. It was a State Farm commercial actually.

The discount double check? The same same guys?

Yeah

You know I met the marketing guy for all the State Farm stuff. He was the brainchild behind all that. He’s not that engaging of a guy. But he's a genius, I guess.

Anything else to add before we finish off packets?

I think that covers it.

Hopefully that makes sense. It's really about visibility. The more visibility you have into your network, and you have into the applications, the easier it is to understand what's going on, and look for the abnormal activity.

I appreciate the analogy Jeff. You made it make better sense to me. It makes sense abstractly. But when you put it like that, I think that, in this day and age, we all require that level of visibility. I think that's really important to have.

So, I appreciate it guys.

That’s all the time we have for the show today. Make sure to like and subscribe. And check us out on all the fun stuff like that. We’ll be back next week with more fun, hot, cybersecurity news. Thanks.

We are an end-to-end Cyber Security Resilience Provider

At DATASHIELD we provide a suite of security services including, MDR, Co-Managed SOC, Vulnerability Management, EDR, Email Security, NOC Services and more.

check out our home page