Morioh
Login
Brain Crist

Brain Crist

3 years ago

From malicious hacks to accidental misconfigurations, Chris Vickery has seen it all. But as cybercriminals continue to innovate, Vickery, the director of risk research with UpGuard, said one emerging security threat will “blindside” the world: “fakeable” voices. More bad actors using artificial intelligence (AI) will create copycat voices of a trusted family member or executive, he said – and they then call individuals – and even enterprises – and scam them out of money or valuable data.

Vickery also talks to Threatpost about fringe data breach discoveries he’s encountered over the last few years, as well as how the process of data breach disclosure is shifting and the best first steps companies can take once a data breach has been discovered.

**Lindsey O’Donnell-Welch: **Hi, everyone, this is Lindsey O’Donnell-Welch with Threatpost. And I am joined today by Chris Vickery, the director of risk research with UpGuard. Chris, thanks so much for joining me today.

Chris Vickery: Thank you for having me.

LO: Yeah. So just for all of our listeners, Chris works at UpGuard, and he has a great track record of discovering major data breaches and vulnerabilities across the digital landscape. So we’re going to have a great discussion today about kind of data breach disclosure and the process of finding data breaches. And some of the biggest trends that Chris is seeing in the data breach landscape. So, Chris, just to start, you know, the last time we talked to you, we were talking about the concept of what a data breach is, and you were mentioning that, you know, there’s kind of this concept of data breaches being solely you know, hacks by malicious actors. But that’s not really the case anymore, is it? I mean, I feel like so many of these data breaches stem from exposures from misconfigurations from accidental types of situations. What are you seeing there?

CV: That is true. There is a common misconception in the world of network in cybersecurity that a data breach equals a hack, a malicious, bad guy, you know, in a hoodie, and a keyboard doing something wrong. That’s a misconception because there are plenty of malicious hacks as well as a much larger amount of non-malicious data breaches that are not necessarily being done on purpose or happening due to malicious things, that just are mistakes that people make, or somebody accepting a risk that they shouldn’t have accepted. And people are starting to get the difference. I’m seeing fewer articles that just default to the term of hack hack hack, this was a malicious, evil thing that resulted in a data breach, or company XYZ was breached. It doesn’t work like that. It should be framed more of company XYZ experienced a data breach. So it isn’t necessarily that an outsider breached their defenses. Although that does happen. It’s equally as bad if an insider decided, ‘Hey, I’m going to cut a corner.’ And they did something that exposed information publicly, or they made a mistake and didn’t put a password or a username because they didn’t understand the software as well as they could have. Still, it’s a data breach because it exposed information to the public internet. And people are starting to get it more and more, there is a distinct difference between the two.

LO: What’s kind of the craziest type of incident that you’ve seen?

CV: One of the more impactful and noteworthy, in my opinion, kind of exposures or breaches or whatever you want to refer to it as, non-malicious findings that I came across in my work currently with UpGuard, is one that that was covered originally by by TechCrunch. And it didn’t really spread very far from there. I don’t know why, it was talked about a bit. But we came across the entire communications infrastructure, telecommunications infrastructure for the Russian Federation, the entire nation.

We’re talking about VPN passwords, every satellite and every antenna – like pictures of physically, people have walked up taking pictures, done full audits of the entire telecommunication, communications infrastructure. Because a Nokia employee had taken home a hard drive, plugged it into the Internet, and apparently didn’t have any sort of firewall between it and the public Internet. And I came across it and downloaded about 1.6 terabytes of information going so far as to talk about the Russian Ministry of Defense. And the FSB, their version of, I believe the FBI, their their Bureau of Investigation. They have a system called SORM that allows them access to all the communications data centers, and the ISPs is not allowed to access these special SORM boxes that are in their data center. And the documents, the planning, the access credentials, all that, was all here. So it was like, Oh, my God, this is a nation that’s fully compromised now due to this, this data exposure, and it didn’t get as much attention as I thought it would.

LO: That’s pretty insane. I’m curious when you discover those types of issues or incidents, what is the process from the beginning to the end that you need to go through? Are you looking specifically for those types of incidents? Or do you kind of stumble upon this or what’s the start there?

CV: It’s a stumble upon thing. Mostly we are not trying to hunt down any particular entity or choose targets necessarily. There are plenty of enterprise level clients that we have, that we have specific agreements that we will watch over their stuff, but we don’t go looking for other things based upon what they want us to look at, like as far as other entities go, we look over their stuff. But then in the research side of things where we seek to raise public awareness and get people and the general public to be more knowledgeable about the prevalence of data breaches, we will just look randomly and see what we discover. And when we come across something really noteworthy, we’ll write up reports and we’ll find new media that are working in that space that will be conducive to raising public awareness. So I’ll generally download at least a representative sample if not all of it. That’s the first step after something’s notified, or noticed as being open to the public Internet, and downloadable, and we used to just download a representative sample out of time concerns and other things. But it is become more necessary to download as much as possible, because we’ve come into situations where like, the CEO, doesn’t believe his own tech staff. So he wants to get a copy of what was exposed and comes to us afterwards saying, Hey, you guys found this and notified us and did the right thing. You also have the ability to show me what really was exposed because my team is not being honest with me. Then there’s the regulator’s that get involved that have the same concern but of the entire company, not telling them the truth, versus what really was the truth. And then there’s the concern of ‘Okay, if there’s any sort of litigation that comes out of this, is there a legal duty,’ I’m not an attorney but there is a legal concern where if somebody says in our report, you said XYZ and that’s not true, then if we have it all, and we have our analysis and everything, then it’s a lot easier to say, ‘hey, guess what we said was true.’ And here’s, here’s the evidence.

**LO: **That’s a lot of layers, there is a lot to be concerned about.

#breach #hacks #newsmaker interviews #videos #breach #data breach #exposed s3 bucket #hack #misconfiguration #threatpost video #video

Chris Vickery: AI Will Drive Tomorrow’s Data Breaches

threatpost.com

Chris Vickery: AI Will Drive Tomorrow’s Data Breaches

Chris Vickery talks about his craziest data breach discoveries and why "vishing" is the next top threat no one's ready for.

1.15 GEEK