Every week the AT&T Chief Security Office produces a series called ThreatTraq with helpful information and news commentary for InfoSec practitioners and researchers. I really enjoy them; you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Don Heatley, Principal Technology Security, AT&T and Jonathan Gonzalez, Lead Member of Technical Staff, AT&T, talking about the features in the 1/10 ThreatTraq episode.
Don: Hi, welcome to ThreatTraq Essentials, where we will take a look at some everyday cybersecurity lessons that we can learn from this week's ThreatTraq stories. I'm here with Jonathan Gonzalez. Welcome, Jonathan.
Jonathan: Thank you.
Don: We have a lot of interesting stories. Now, the first one is really interesting because every week, we give tips on the show and we talk about apps and downloading them. We always say what? Download them from where?
Jonathan: So, it means downloading from an official application store, like the Google Play Store or the Apple Store.
Don: And it turns out that although that's great advice, it's not foolproof. Tell me about this story and why that is.
Jonathan: Right. While Google and Apple are very good at filtering the submissions that are bad, sometimes they can miss a few. And that's what happened in this case. I believe there were three applications that got through, which have now been removed from the store. I believe they have the ability to remove malicious apps from phones that might have had it installed. But in this case, the applications got through and people installed them.
Don: And what could these malicious applications potentially do?
Jonathan: So, in this case, all you have to do is install it, and then the application would get privilege escalation, which means that the application could then give itself permission to do things like look at things in your phone that you might not want them to have looked at.
Don: Like contacts, photographs.
Jonathan: Your Twitter account, your Facebook account. Again, private things -without your knowledge in this case.
Don: So, how do people protect themselves? Even when you go to a reputable app store, what should they do?
Jonathan: So, the first thing I would say is, try to avoid applications that you've never heard of, even if you just want to try them. You know, there are reasons why you would only want to recommend reputable apps, right? And this is one of those cases. Also look at how many people have downloaded the app and what kind of reviews it has. If you have something with very few downloads and no reviews, this might be a sign that maybe this is not an app that people know about. Even if it does the thing that you want, it might not be worth the risk.
Don: So, be suspicious when you see something like that.
Jonathan: Yes. No reviews and very few downloads should definitely trigger something in you to say, "Okay, maybe I don't need this app right now. Let's see if it becomes popular. Let's see if people are using it." And even in that case, it could still mean that something's bad, but hopefully, by then Google would have figured out, "Okay, this is a bad app. We're going to remove it from the store."
Don: And it'll be gone.
Jonathan: And it'll be gone.
Don: Let's talk about the story Mike Stair brought to us about gas pumps and how there's being efforts made to fight credit card skimmers at gas pumps, which can be a problem, and it has to do with the new policy. Tell me about that.
Jonathan: Right. This new policy has to do with liability, I believe. So, gas stations will now be liable for any fraudulent transaction that happens at the pumps. This was not the case, which was very surprising to me. Now these gas stations will likely have to either figure out if the risk is worth the upgrades or comply.
Don: So, basically, they need to upgrade their pumps and add certain security procedures, like chip readers for the cards, encrypting transmissions, and they have to do this by October.
Jonathan: That's correct.
Don: And so, I guess, the danger is that criminals may be like, "Okay, we have from now until October to go at it and really start taking advantage of skimmers."
Jonathan: Well, I think researchers are predicting that because this policy goes into effect in October, a lot of the gas stations will be persuaded to upgrade, which means bad guys are going to have many months, 9 -10 months to try to get at these gas stations - get as much money as possible before everybody upgrades their systems.
Don: And in the meantime, what precautions should people take?
Jonathan: In our case in New Jersey, it's a little tough because we hand out a credit card to a person, but in most states, it would be helpful to double-check that there are no skimmers. I mean, sometimes they're really good and well hidden. If something seems suspicious on the machine that you're putting your card into, then maybe stop and think about that before you do that. Sometimes it's very obvious, sometimes it's not.
Also watch your credit card transactions. If you've seen anything suspicious, call the credit card company right away. You might've been compromised. Unfortunately, some of the skimmers are very good. It's really hard to tell people to watch out for them. This is why I think the policy is good because now that the gas stations have to figure out how to make this happen in a way that the consumer doesn't have to worry about it.
Don: And let's talk about the story that you brought to us. That one was about ransomware. We give people a lot of advice about ransomware, but this was about some advice you encountered that we often overlook. Tell me what it is.
Jonathan: So, if you've been a victim of ransomware and we're in the process of cleanup and mitigating the issue, sometimes we might forget that in that process, other things might have happened. In this case, it would be that passwords of people that were using the systems could have also been compromised and have been sent to other places to be sold or used for other purposes. Now, these may be accounts of your employees, or if you have guest systems, these may be people that have used your computers. So, if there was any compromise, assume everybody that ever touched your systems needs to reset all their passwords, period.
Don: Say, I work somewhere at a company that's been the victim of a ransomware attack. It's not just the company that needs to be concerned. All the people who work there, especially if they use their business machines to get into personal accounts should be aware all those passwords could have been compromised too.
Jonathan: That is correct. So, in the process of getting the company infected with ransomware, the bad guys might've installed other things on these systems that could have stolen any password on the system, That could include your bank account on a company computer, your personal email, and Twitter or Facebook. We saw in the report, things like LastPass, which is a password manager could also have compromised, right? So, these are things that you should be aware of. Reset all your passwords, every single one that might've touched any of those systems. I guess my advice will be reset them all anyway.
Don: And what if you bring a personal computer to work and you just got on the network wirelessly, could those passwords from that computer also be compromised?
Jonathan: It depends. That's actually an interesting question because that brings a different policy thing, which is, bring your own device (BYOD). Now, there are companies that allow this. If you are in a company where you are allowed to bring your own device, where we're connecting to that network, there is a potential that your personal system was compromised. It's hard to say. Make sure that you also reset all your passwords because they were likely compromised. I think that the advice applies no matter what.
Don: John Hogoboom suggested that there's one password that you should change first. Tell us about that and why.
Jonathan: First passwords that you start changing are all your email passwords. Now, the reason for this is that a lot of other accounts use your email to reset those passwords. So, if you get a hold of your email accounts and change those passwords as quickly as possible, that minimizes the risk of an attacker trying to steal your accounts. Because now, at least, if they get to other accounts, you have your emails with a password that you know is good, and can now start resetting other things that might have gotten compromised beyond this. So, emails first is very good advice. And then continue on and reset everything.
Don: Well, it is great advice. So, thanks for being on the show, Jonathan. And thank you all for watching. Please remember to like our videos and subscribe to our channel. And as always, you can take a deeper dive into any of these stories by clicking on the playlist below. We'll see you next time.