S3 Ep61: Call scammers, cloud insecurity, and facial recognition creepiness [Podcast + Transcript]

[00’23”] Fun Fact: Ebooks reach their half-century.
[00’58”] Call scammers and cryptocoin treachery.
[07’34”] Cloud insecurity and yet more cryptocoin treachery.
[16’15”] Tech History: The interwoven story of Mary Shelley, Ada Lovelace and AI ethics.
[18’26”] Facial recognition creepiness.
[25’23”] Oh! No! The wannabe wizard that went to school with a trainee Sith.

With Paul Ducklin and Doug Aamoth. Intro and outro music by Edith Mudge.

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.


You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.

READ THE TRANSCRIPT

DOUG AAMOTH. Call spoofing (it’s still a problem), cloud attacks, and facial recognition no-nos: all that, and more, on the Naked Security Podcast…

[MUSICAL MODEM]

Welcome to the podcast, everybody: I am Doug; he is Paul; we have a fun filled show for you today.

And we like to start the show with a fun fact: the fun fact for today is that while ebooks are as popular as ever nowadays, they’ve been around for a whopping 50 years already.

The first book to be digitised, not really a book per se, was the US Declaration of Independence, digitised way back in 1971.


PAUL DUCKLIN. I thought you were going to say “in 1776” for a moment! [LAUGHS]


DOUG. Way back!

So, we will talk a little bit more about ebooks later in the show in our “This Week in Tech History” segment, but I thought that was a good fun fact to start us off with.

Paul, something else that’s been around for seemingly 50 years: call spoofing.

Still a problem, still way too easy, with no meaningful solution in sight… this is depressing.


DUCK. Sadly, that seems to be the case, Douglas.

The latest story that we covered on Naked Security was inspired by the fact that none other than the US Securities and Exchange Commission recently published a warning about a warning about a warning – they’ve been doing this for years and years and years – of investment scammers.

These scammers are not just calling you up and saying, “Hello. I’m with the SEC.”

They’re calling up and making the number that appears on your caller ID or your CLI display – the incoming call number – into an actual SEC number, and then identifying themselves as being from the SEC.

As in, “If you doubt my veracity, go and check the number that I called you from.”

And if you do, even if you’re really careful, if you do all your due diligence, you will find that the number is correct, because the protocol for injecting that number into the call data stream before you answer the call has zero authentication.

And without authentication, there’s basically no identification: the call might be from this person; it might not.

I think the ultimate solution is we just have to remember, every time we answer a call, no matter how many times you’ve answered the call before and it really was the person whose number came up on the display… we just have to take that as a *suggestion*.

Nothing more than a suggestion.

So it’s like the return address on the back of an old snail mail letter: the sender gets to write whatever they want on there, so that’s what we need to remember.

It’s handy to assume it might be true… and then if you can satisfy yourself it is true… hey, it’s your dad calling, it’s your favorite Auntie, it’s one of your kids calling from school to say they missed their lift, what should they do?, well then, that’s fine.

But in terms of identifying the person, “Caller ID” doesn’t identify the caller, and “Calling Line Identification”, as we call it in the UK, doesn’t even identify the line that’s calling you.

Because it could be any number or name in there that the caller likes.


DOUG. And as the SEC says in their statement, and this is true of many government entities here in the US – I don’t know how it is in the UK – but they said, “We don’t call people; we’re not going to call you about anything; we’re not going to send you an email; we’re not going to send you a text message.”

So, if someone’s calling saying that they’re from the SEC – and I’ve been audited on my taxes – *they don’t call you*!

They send you a very official looking package in the mail, and it says, “You’re being audited.”

You open it up, and there’s all the details about what you did wrong on your tax forms.

So they generally communicate via snail mail.


DUCK. And as the SEC points out, if they were to call you, they wouldn’t say, “Hey, let’s talk about your investments. Let’s talk about fraud. Why don’t you tell me your bank account number?”


DOUG. Yes. [LAUGHS]
.


DUCK. In the same way that the bank wouldn’t do that, and so forth.

The only real solution is that if you think you need to call the SEC, then you have to go out of your way to find that number in a legitimate way, not believing what somebody called you up and told you was true.

Of course, in some parts of the world, like in the UK, particularly if you had a prepaid mobile phone, it would be advantageous if Her Majesty’s Government were to call you, because they’d be paying the charges.


DOUG. [LAUGHS]


DUCK. Because when you call back in the UK, you often don’t get toll free numbers – we don’t have quite as much toll free largesse as you do in North America.

And a lot of companies use what are called non-geographical numbers – they typically start 03-, and basically it’s the cost of a local call, but if you have to be 45 minutes on hold, you’re still paying for it.

So there is a reason in some parts of the world why people go, “OK, I’m kind of happy that you called me, because it’s not going to burn up all my pay-as-you-go credit on my phone.”

But [a] it ain’t going to happen, and [b] even if it did happen, you couldn’t rely on the number.

And even if it did happen and you could rely on the number, the person calling you, if they were from the SEC, wouldn’t ask you any of the questions, or go through any of the dialogue or any of the rigmarole that the scammers do.


DOUG. Yes!

So this “message” from the SEC: they say that we won’t call and ask about your shareholdings, account numbers, PIN numbers, passwords or any other information that may be used to access your financial accounts.

It stands to reason that would be an odd thing for someone from the SEC to be asking of you.


DUCK. And it seems that the modern scammers are doing this in order to get traction with things like cryptocurrency.

And I think a lot of people think, “Oh, cryptocurrency, it’s not regulated. Golly, you never get your money back. Oh, well, if the SEC is onto it, given that we’ve read of cases where the got stolen bitcoins back, maybe this is a thing I can’t afford to miss out on.”

So be careful of believing what you wish to hear rather than listening for the truth.


DOUG. OK, we’ve got some advice here, aside from using common sense.

You say here: if someone says, “Check the caller ID if you don’t believe me,” that’s a sure sign that they’re lying.


DUCK. Absolutely.

That’s really important!

Instantly, you know they’re lying because that cannot possibly be true.

Don’t say another word – hang up, if someone says that.


DOUG. OK, we’ve given this advice before: if you need to contact someone, don’t rely on them contacting you and giving you the number to call them back.


DUCK. Exactly.


DOUG. You should actually call them on your own using a document that you have, like the back of your credit card.

You call using the official phone number that you have in your possession.


DUCK. Yes!

Or that could be a letter that you got through the snail mail when you first signed up for the service, something that predates the current caller.

For them to make my bank’s number show up when they call me – they can easily do that once they’ve learned how.

Or they can sign up for a service that will help them do it without understanding the technical details.

It is as easy for someone who knows how to spoof an incoming phone number as it is to put somebody else’s name in the from field of an email header.


DOUG. All right, that is: US government Security’s watchdog spoofed by investment scammers – don’t fall for it, on nakedsecurity.sophos.com.

Now let’s talk about cloud attacks!

The good news is that you have about 1 minute to protect yourself from these cloud attacks, right, Paul?


DUCK. Well, it depends on the nature of the attack.

A couple of years ago, when we did some research into how quickly we’d be found… in this case, we were using RDP and SSH, and RDP actually did better than SSH.

I think with RDP, the first probe we got on our first honeypot… was it 84 seconds?


DOUG. Yes.


DUCK. With SSH, it was was under a minute. [LAUGHS]

Remember that these are servers that we had gone out of our way not to advertise.

There was no domain name; there was no DNS entry for them.

We weren’t actually using them for anything, so there was no sense of any crook figuring, “Hey, that looks interesting enough to look into.”

This is just people going, “Let’s scan the Internet over and over and over and over and over again until we find somewhere that we know how to break in, and then let’s go and see what we can do.”

So in real life, the situation would be worse, because you’d have the automated scan/rescan/re-rescan crooks going after you…

…and you’d have crooks that go, “Hey, I see this website turned up in a list of new interesting websites on the subject of X -we’re interested in exploiting X, let’s go and take a look!”

So, Google just published a report – apparently, it’s the first edition of a report called Cloud Threat Intelligence.

I never knew Google was a cloud company, Doug…


BOTH. [LAUGHTER]


DUCK. …so I was surprised that this was the first edition.

What was interesting is they were confirming what we’ve all known for years about the speed with which cooks will get in.

But what was particularly interesting is that in this case, it’s clear that there are whole gangs of crooks, cybercriminal operators, who apparently don’t have an interest in the sort of attack that leads through that whole sequence of stuff that usually ends in ransomware.

The goal here – was it in 86% of the cases? – they knew in advance what they wanted to do when they got in: running cryptomining instantly.

And you can see why this is something that is more interesting to that kind of crook than ransomware, because if you’ve got a cloud service that you’ve set up and you’ve just got it sitting there, it’s got no data.

It’s just a server waiting, at low cost to you, maybe just a few dollars a month and you’ve got it ticking over there.

You know that if your business takes off, you won’t have time to order new servers… but you won’t mind paying even paying over the odds, compared to buying your own servers, if your business takes off to fund the fact that you’re now paying to service that business.

So that’s quite a useful part of the cloud server model, isn’t it?


DOUG. Yes.


DUCK. You don’t have to put in a massive amount of capital expenditure and then make sure that you load up all your service from the word go.

You can have them sitting there waiting, at comparatively low cost.

And the idea is that when you need to start paying the fees, as high as they might be, you know that the only reason the load went up is you got the business to balance it.

Unless the person who put the load on there was somebody who was *not* sharing the revenue with you.

Such as a cryptominer!


DOUG. I may not notice if I’m not paying attention to the alerts.

I might not know that I’ve scaled up a bunch of servers to mine cryptocurrency until I get my first bill…


DUCK. Or until you get [LAUGHS] a phone call from your credit card company!


DOUG. Yes…


DUCK. Oh, look: Caller ID! Credit card company!


DOUG. [LAUGHS]


DUCK. And in this case, it might be, “Hey, do you realise you’re really, really close to your limit?”

What?! How can that be?!

And then you go and look and realise that somebody has been mining out on your dime, as it were.

[PAUSE]

That was not an incredibly successful pun, Doug.

DOUG. [LAUGHS] Close enough.


DUCK. Thank you.


DOUG. The good news is that we’ve solved the weak password problem!

So this is no longer the way that the crooks are getting in so easily [SARCASTICALLY] right?


DUCK. Yes, that’s the good news in this report.

As Google explained, the percentage of these particular cryptomining centric breakins that relied on weak passwords was no longer an absolute majority, Doug.


DOUG. [LAUGHS]


DUCK. It was merely 48% of the time.


DOUG. Yes.


DUCK. And if I remember correctly, next down the list was 26%, and that was… you’re never going to guess this, Doug: “You forgot the patch.”


DOUG. [DRAMATICALLY] Oh, no!


DUCK. You’ve got a vulnerability that the crooks can detect, because of the version of the servers you’re running, and they’re wandering in at will.

So, yes, that’s a disappointing side to this.

I suppose some people cynics might say, “Oh, well, Google would love to offload the responsibility on the users”

But to be fair to them, in this case, 48% of attacks were based on weak passwords.

Google admitted that a special sort of weak password was “no password at all”.

And of course, these days that doesn’tjust include entering usernames and passwords.

It also includes things like API access tokens, where you’re supposed to make a connection to do an online service.

And in this case, what Google is saying is that people are setting up this kind of RESTful service, this kind of API based service, and maybe they still think they’re in debugging phase.

Or maybe they just forgot, so there’s a way that you can come in without providing any access token whatsoever.

So, you don’t need to log in first to get the access token.

You just come straight in, no authentication required, and that can be an expensive mistake.


DOUG. OK, so what can people do to protect their cloud instances in this instance?


DUCK. Well, it is all tried and tested advice, Doug, but as you’ve said before, it bears repeating because clearly there are loads of people who aren’t doing it right, if 48% of these attacks were passwordless or unauthenticated API visits:

* Pick proper passwords.

* Use password managers.

* Use two FA whenever you can, so the password alone is not enough.

* And patch early, patch often.

I think at this point, Doug, it’s worth mentioning that although in 86% of incursions cryptomining happened, there were plenty of other things that these automated crooks wanted to do.

And those included things that, although they might not cost you quite as much money as cryptomining, because they’re not hammering the CPU flat out or filling up your disk massively and immediately… they’re nevertheless things that leave you looking bad in a way that’s very hard to reverse.

And those things include:

* Scanning for the next cybercrime victims from your account, so you’re left looking like the bad guy, like the criminal hacker.

* Actively attacking other people from your account, including mounting DDoS, or Distributed Denial of Service attacks, so you’re left as the source of actual attacks that show up in other people’s logs.

* Using you as a spam sending cannon, so that when somebody gets added to the blocklist, it’s not the crooks – it’s you.

So, you’re carrying the can for them: the finger’s pointing at you, first and foremost.

And, if you don’t mind, you’re paying for it.


DOUG. And last but not least, you can invest in proactive cloud security protection.

Now, neither Paul nor I are in sales…


DUCK. Can you tell? [LAUGHS]


DOUG. So I don’t know if I’m giving the correct pitch here… [LAUGHS]


DUCK. I take that as a badge of honour, Doug… I’m very proud to hear you say that!


DOUG. Yes, I’m not good at asking people for money… but we do have cloud security solutions.

And I do like how you ended this post: “You can think of it like cloud security as the best sort of altruism.”

Because you’re protecting yourself, and in doing so, you’re protecting others who could otherwise get DDoS or spammed or malware from your account.

So it’s a good way to protect yourself and others at the same time, and stop this problem before it starts.


DUCK. Absolutely.


DOUG. OK, that is: Cloud security – don’t wait until your next bill to find out about an attack, on nakedsecurity.sophos.com.

And it’s time for “This Week in Tech History.”

We talked about ebooks at the top of the show, and this week, on December 1, 1971, a man named Michael Hart launched Project Gutenberg, the first provider of free electronic books.

Hart believed that, and I quote, “Literature should be as free as the air we breathe.”

50 years later, Project Gutenberg is still alive and kicking at gutenberg.org, where more than 60,000 free ebooks are available.

Double Fun Fact for this week: the most popular book on the site is Frankenstein; or the Modern Prometheus by Mary Shelley, with almost 85,000 downloads.


DUCK. I’m going to mention something that has nothing to do with cybersecurity…

Mary Shelley was married to Percy Bysshe Shelley, the only figure in English literature, as the ever-witty Bill Bryson has it, who has a name based on the sound of a burning match being immersed in water.


DOUG. [LAUGHS] Byssssssssshe…


DUCK. I told you it had nothing to do with cybersecurity!

Although, when they were doing their ghost writing competition… they were on some vacation, apparently, and it was raining, and the infamous Lord Byron was staying with them.

And he said, “Let’s all see who can write the best ghost story,” and Mary Shelley was the one that conquered that, as Project Gutenberg shows.

But [Byron], of course, was the father of Ada Lovelace, regarded by many people as the first person to have a computer program published.


DOUG. Yes!


DUCK. And Ada was quite interested in the idea of what we now call artificial intelligence, and “Can machines think?”, something had to wait another 100 years before Alan Turing got onto the case.

And you can imagine that Ada would have been influenced by the ethical and moral dilemmas introduced by Mary Shelley in Frankenstein.

And, as I said, she was the wife of Percy…


DOUG. [FX: HOT MATCH INTO WATER] Bysshe!


DUCK. Shelley.


DOUG. Well, that is a great segue to our next story about AI.


DUCK. Thank you, Doug, I was wondering if I’d get away with that…


DOUG. [LAUGHS]


DUCK. …but you saved me! Thank you so much.


DOUG. Facial recognition.

[IRONIC TONE] And this is a heartbreaking story, according to the CEO of the company that’s getting fined some $20 million for improper use of facial recognition…


DUCK. [STAGE HISTRIONICS] Oh, Doug, Doug, my heart’s crying, man, they don’t want my [SOB] technology.

[NORMAL VOICE] Can I jump to the end?


DOUG. Sure!

DUCK “Cry me a river. (Don’t act like you don’t know it.)”

Yes, this is good old Clearview AI again.

I get where they’re coming from – it’s not inherently a bad idea what they’ve done, but the way they’ve gone about it has got everybody’s backs up, including most social networking behemoths.

If you haven’t heard of Clearview, the simple story is they go out and scrape what they consider “public” (I’m making giant airquotes) images where there’s data about the names in the image.

And they’ve built this facial recognition database that they say has 10 billion categorized images in it.

And even though they didn’t have permission to download these images from services like Facebook, Twitter, YouTube – in fact, they were told to stop because it was against the terms and conditions of service – they still think this is a fantastic tool, provided that they sell it only to the (even bigger air quotes) “right people”, by which we assume they mean law enforcement.

And the idea is instead of having to compare an image from, say, CCTV or surveillance camera or a street camera with known mug shots… the idea is you can go to these 10 billion precategorised images and just find people.

Apparently, as long as you solve a few crimes, Doug, that makes it all worthwhile.


DOUG. I was trying to think of a diplomatic way to put it, and you put it diplomatically. when you started talking about this: I get where they’re coming from, but this is not the right way to do it!


DUCK. No, particularly since – I think this was in early 2020 – a whole load of social networking sites that at least included Facebook, Twitter, YouTube, actually said, “Cease and desist. You can’t do this. It’s against our terms and conditions of service.”

And you think: Facebook!


DOUG. [LAUGHS]


DUCK. The company that everyone loves to hate… they’ve already got these images; they’ve got them with permission; there are terms and conditions involved; and whether you like them or not, they are there.

And if *Facebook itself* has decided, “No, we’re not going to do this, it’s a step too far,” and then says, “Cease and desist”…

You think that you’d go, “OK, this is not going to go well.”

But apparently the CEO, in an interview with CBS News, said, “We have a First Amendment right to public information. And so we built our system by taking only publicly available information and indexing it.”

As though the fact that something is public means that it no longer counts as personally identifiable information.

Or that there was no previous expectation that the uploader might have with the person who’s publishing the data.


DOUG. OK, in the UK and Australia… this caught the ire of both of those.


DUCK. Yes!

They figured, “First Amendment? Well, you have one of those. We don’t.”

As a commenter on that CBS video very reasonably said, “You were so preoccupied with whether or not you could do this, you didn’t stop to think whether you should,” snd I think that’s the way a lot of people feel about this.

And so the UK and Australia decided to do a joint investigation: the Office of the Australian Information Commissioner (OAIC) and the UK Information Commissioner’s Office (ICO) did this joint investigation, and they have just recently published their respective reports.

The one thing that both of those Privacy Commission Offices agree on is that, in their opinion, what Clearview did was that they basically collected information *using unlawful or unfair means*.

And, in the words of the UK Information Commissioner’s Office, they did not process information in a way that people would reasonably expect them to.


DOUG. Yes, that part is interesting.

As in, I upload my photos to Facebook, and I assume that they’re going to be used on Facebook, and maybe Facebook’s going to make money off in some way…

But I don’t expect them to be scraped for a law enforcement database!


DUCK. And, importantly, the ICO in the UK made the point that not only did they collect the data without a lawful reason; not only did they collect it where people might reasonably have expected them not to do so; not only did they have no process where people would say, “I want you to stop doing that and get rid of all my existing data”…

Because it’s your face, and they’re indexing your face, it counts as biometric data, and there should be even higher standards that they were supposed to stick to, which they did not.

And then, importantly, the last point that the ICO made: Clearview didn’t tell anyone what was happening to their data.

So, that was felt to be entirely unacceptable.

The Aussies said, “Don’t do it again,” which sounds a little bit like a toothless tiger, but then they also said, “And any data collected from Oz? Delete it, and within 90 days, show us you’ve done what you’re supposed to do. No excuses.”

The UK pretty much said the same thing, but instead of saying, “And within 90 days, prove it,” they said, “Our plan is that we will find you £17 million,” which is about $23 million.

And the CEO of Clearview, Doug, as you said, claims that his heart is broken.

[HAMMING UP] “Breaks my heart, that you don’t want to use the data for this wonderful purpose.”

I imagine it probably breaks his heart that he might have to pay 17 million quid…


DOUG. Yes, there’s that.


DUCK. But he’s, [SOBBING] “Oh, golly, I’m weeping inside. I want to save the world and you won’t let me.”

That’s what he thinks, but it does seem that it’s not what many jurisdictions in the world think!

And if you have an opinion on this, we would love to hear it, so head over to Naked Security and let us know what you think.

You may, as always, remain anonymous if you wish.


DOUG. All right, that is: Controversial face matchers Clearview set to be fined over $20 million.

And it’s time in the show for our “Oh! No!”

On Reddit, user Mike Oxenfair writes…

Some years ago I worked in an educational establishment. One of the many jobs I undertook was to rebuild a SQL…

Ah, he says “*an* ess-queue-ell”.

There’s a very hard line drawn… do you pronounce SQL as “sequel” or as “ess-queue-ell”…


DUCK. [STAGE WHISPER] Sequel!

with the inventor saying it should be “ess-queue-ell”…


DUCK. [STAGE WHISPER] Sequel!


DOUG. ..and then people later on say “sequel”.

Okay, I’m just going to say “sequel” then – I said “ess-queue-ell” for a long time, I’ve gone back and forth… I’m going to go back to “sequel”.

{BACK TO THE STORY] I undertookto rebuild a SQL database that had been so badly designed that it had failed after five years – I didn’t think that was possible.


DUCK. Do you think that’s meant to be a light hearted comment, Doug?

From the number of IT projects that never actually ship…


DOUG. Yes, seriously!


DUCK. And the database fails before it even starts!

Five years? That’s actually not bad, is it?

Practically long lived, by some stanDARDS.

I guess what he was saying, “I’ve never been asked to replace a database in less than 45 years, they’ve always lived far too long.”


DOUG. Yes, older than some ebooks out there!

So, I had to rebuild all the various functions and add a few more using Excel.

But I replaced a lot of the code in a manner that would be sort of future proof.

To do this, I had to test the functionality, but the data was all subject to data protection law.

There’s an easy fix for testing…


DUCK. At least he recognized that!


DOUG. Yes!


DUCK. Unlike some people in this episode.


DOUG. Exactly!

The head of school, or the principal, wanted an update.

So I shared a data set and she accused me of revealing sensitive data – a fireable offense, until I pointed out the names in the data set.

Harry Potter, Darth Vader, Billy Nomates, and so on: all dummy data.

Well, I didn’t get fired.

There was no data protection issue, and I finished the project about a month later.

Good times.

It’s great advice to people using dummy data sets – make sure you use dummy data, don’t use real data!


DUCK. And don’t use pseudoanonymized data, where the anonymisation can be worked backwards because you’ve just shifted all the letters around or something like that, not scrambled or hashed it properly.


DOUG. Even just sharing it internally, you can get in trouble.


DUCK. I’m mystified that you would have a school where Harry Potter and Darth Vader attended the same school at roughly the same time.

But I suppose all things are possible.


DOUG. Yes!

And our friend Billy Nomates, who I have not heard of as a dummy user… but it sounds like he has no friends.

That’s tough.


DUCK. You’ll go far, Doug, with detective instincts like that.


DOUG. Perfect! Just in case I need to fall back on being a private eye.


DUCK. [LAUGHS]


DOUG. Well, if you have an “Oh! No!” you’d like to submit, we’d love to read it on the podcast.

You can email tips@sophos.com, you can comment on any one of our articles or you can hit us up on social @NakedSecurity.

That is our show for today, thanks very much for listening.

For Paul Ducklin, I’m Doug Aamoth, Reminding you until next time, to…


BOTH. Stay secure!

[MUSICAL MODEM]

Learn more about Sophos Managed Threat Response here:
Sophos MTR – Expert Led Response  ▶
24/7 threat hunting, detection, and response  ▶