National Risk Register, Encrypted Messaging, Residential Proxy Networks

[00:00:02] Dani Middleton-Wren: Hello and welcome to Cybersecurity Session series two, episode four. I'm your host, Dani Middleton-Wren, and I am joined today by our panel of experts. We have Andy Lole, CTO at Netacea. Cyril Noel-Tagoe, who is our principal security researcher at Netacea, and Karol Horosin, who is engineering manager at Netacea. So today we've got a fantastic suite of topics to discuss, including the National Risk Register, illicit Telegram networks, and our attack of the month, which is residential proxies. So the reason we are joined by Andy, Cyril and Karol is because each of the team are able to provide a different perspective across each of today's topics.

So we're gonna start with the National Risk Register. So the UK government has released its annual National Risk Register. This is a public version of the National Security Risk Assessment, which assesses the most serious risks including health, society, critical infrastructure, economy, and lives. It sets out a reasonable worst case scenario for each risk, and this year cyber attacks on infrastructure are listed as moderate impact. They predict there'll be 41 to 200 deaths and 81 to 400 casualties that will cost hundreds of millions of pounds, and there is a likelihood of between five and 25% that these will occur.

So Cyril, do you think it's surprising that cyber attacks have been ranked alongside risks like nuclear fallout and terror attacks?

[00:01:34] Cyril Noel-Tagoe: I think it's something I've expected to see, and it's not the first time that cyber's been in the National Risk Register. The Risk Register has been going on since 2008, and we've had these large scale kind of cyber attacks like WannaCry in 2017, which have really amplified the disruption and damage that cyber attacks can do.

It hit the NHS quite hard, it hit other areas as well, but kind of the large scale disruption that that caused. So I think it's actually quite prudent for the government to be looking at that in the same kind of vein as these other attacks, which can cause large scale disruption.

[00:02:11] Dani Middleton-Wren: And so what kind of... if we think about bots, which is obviously our bread and butter, what kind of bot attacks do you think we might expect to see participating in these national cybersecurity attacks?

[00:02:23] Cyril Noel-Tagoe: So when we're looking at bots, we're really looking at bots which are trying to disrupt business processes, but really for some type of gain for the attacker attacker. These types of attacks, the gain for the attacker is more geopolitical.

So it's more of a kind of a disruption type of attack. So maybe if you can stop hospitals from working, if you can stop telecommunications providers from being able to provide a service... bot attacks, when we're generally looking at those, we're looking at can you exfiltrate data from a service, or can we past a limit we have to do. So can we come back? Can we buy something? Slightly different types of attack, but it could be a secondary impact. So, you know, if a service doesn't actually protect its infrastructure well enough that a bot attack, which doesn't intend to, may actually cause disruption. Maybe not to the scales that they're looking at in this but getting close.

[00:03:11] Dani Middleton-Wren: Okay, so you mentioned there the geopolitical impact, so do you think it'll be nation state attacks that will be carrying out these cyber attacks on national infrastructure?

[00:03:20] Cyril Noel-Tagoe: I think a lot of them, yes. But there's an increasingly blurred line between kind of the capabilities of nation state actors and well-funded organized criminal groups, so taking a ransomware attack on, you know, any of these kind of critical national infrastructure.

A nation state's got an incentive to do that. But also a organized criminal group that can get money back. So if you, you know, can take you out, you're gonna have to pay because that service is vital. So there's gonna be an incentive to pay back. So, yeah, mostly nation states, but yeah, there could be organized criminal groups as well.

Which is weird. 'cause there's some ransomware groups which state that they won't target things like hospitals because they've got a code of conduct and they don't wanna harm health. And then you look at the most targeted sectors by ransomware and healthcare ranks right at the top of that. So, yeah, it's a bit of a weird one.

[00:04:14] Dani Middleton-Wren: Yeah. I wonder how that works, but I suppose we're talking about ethics amongst criminal groups, so let's not dig too deep in there. Let's not overthink it.

Okay. And Karol, so what extra measures do you think need to be put into place when building applications and networks for critical infrastructure, from a technical perspective?

[00:04:34] Karol Horosin: Yeah, so critical infrastructure probably should be treated as any other infrastructure, but with more care, even though we have problems with funding and resources . So securing a critical system has the same checklist that's securing any other system. I could go through the whole checklist I would do, but there are some basics that we hear about all the time.

So, you know, your systems need to be segmented. It shouldn't be the case where, when you break into one of the piece of infrastructure or software, you can then attack the whole system. And we don't see enough segmentation in those systems as we see from attacks that are being reported. So those systems should be segmented and the communication between systems should be secure, basics like that, backups, disaster recovery, multifactor authentication.

So applying a known set of measures is crazy important and should secure most of the systems. The sad reality is there's not always time or business priority to implement all of those. And so when doing that, we should not only ask our critical infrastructure managers to implement new features, give us better access to say our healthcare data, but we should ask those questions.

Is this access secure? Are those developments done at the right pace with the right set of assumptions? So when looking at a cost of critical infrastructure projects, we should not assume that the amount spent is humongous because it's mismanaged. We should ask how is it spent? And even ask, can we spend more on projects like this in order to have time to implement security measures?

I would also say, there is nuance in attacks. As Cyril mentioned, bots may not be the biggest problem in those kinds of attacks, but they can be used in various ways and there are threats that are related to nation systems that commerce has different experience with. One example could be crowdsource attacks.

When some of the critical infrastructure is related to legislation that is unpopular with the population, some of the systems may be attacked by activist groups that install all sorts of software that attacks this infrastructure or even people sometimes can bring down a piece of infrastructure by just doing stuff with it that was unintended. And from our point of view, we saw this thing happening in the conflict and now in Eastern Europe. And the target was Russia. There was a lot of crowdsource attacks, and the infrastructure was brought down by regular humans entering and doing things that they were asked to by other actors.

So, there's a lot more nuance in critical infrastructure and national security than in commerce, but I would say, just do regular stuff, but put more attention to it. I read the book by Austin Kleon recently, and I didn't think about it in this context, but ordinary measures with extra attention are extraordinary measures.

So when we do critical infrastructure security, just let's put extra attention into regular stuff.

[00:08:00] Andy Lole: I think, critical infrastructure is just that, if platforms are not built in a secure way, it will be sadly quite easy for people to get into them.

Just looking at the UK health system, for example, and the NHS, part of the reason that it is a fairly soft target is there's been fundamental underinvestment in bringing the technology up to current standards. And that's not aimed at the people involved, there are a lot of people working incredibly hard to maintain these legacy systems.

But actually without the ability to bring them up to date and defend against these sort of attacks, people will continue to be an easy target. Private sector, public sector, you name it, the same principles apply. At least the government is thinking about these sort of things, which is a step in the right direction.

[00:08:44] Dani Middleton-Wren: So when you say they're less able to bring things up to scratch, is that because of funding, because they don't tend to have the resource, or is it they don't necessarily attract the skilled people they need to those roles to carry it out?

[00:08:57] Andy Lole: I think it can be a bit of both. Take taking the British NHS for example, that's definitely a funding issue. They are able to attract very good people. There is an interesting question in there though, around... can normal, in inverted commas, government departments attract the most skilled and technically interested security professionals? Obviously in the UK, the GCHQ team are able to attract some very interesting people.

And I have no doubt that in the public sector, there are some incredibly talented and industry leading specialists. Is that the case across every government department? I'm very sure it's not.

[00:09:30] Dani Middleton-Wren: And do you think that is because they are GCHQ and they are just more appealing to people who want to work in that industry? Well, what do you think it is?

[00:09:37] Andy Lole: I think there's probably a couple of things in there. The GCHQ is gonna appeal to a certain kind of candidate for sure. But I think there is also a mindset around, if we think of a government department as effectively like any other business, what's the strategy of the leadership there?

Do they take this sort of stuff seriously? Seeing the government publishing their Risk Register in this way, it's got us talking for start. I sincerely hope it gets the leadership of the sort of the civil servants leading, whether it be department for health, department for working pensions, et cetera.

The DWP I suspect is under massive attack. They are the, I think the largest generator of bank transfers in the UK. The DWP is paying out all kinds of benefit payments across the whole of the UK. Disrupting that, pointing those in the wrong direction would be a very interesting target. So I've no doubt that leadership there are thinking about that. But then we look at the Ministry for Agriculture, for example.

Are they thinking in the same way, despite the fact that actually there's agricultural subsidies, which are now paid out online, are an equally interesting but possibly softer target?

[00:10:38] Dani Middleton-Wren: Got you. Okay. So just while we're talking about national infrastructure and cyber attacks that are targeting national entities. So this week, I dunno if anybody spotted, but the electoral commission released a statement to say that because of the GDPR, they need to notify data subjects that data has been breached by inappropriate access, loss, or theft from their systems. So the incident was identified in October 2022 after suspicious activity was detected on their systems, and it became clear that hostile actors had first accessed the systems in August 2021. The perpetrators had access to the commission's servers, which held their email, their control systems and copies of electoral registers. Cyril, do you think this is something that the Risk Register alludes to and we're already starting to see that kind of come true? Obviously this isn't infrastructure, but it's a cyber attack on a national system and this will affect hundreds of thousands of people.

It's all voters that have registered between 2014 and 2022, so it's a lot of people.

[00:11:42] Cyril Noel-Tagoe: Yeah, yeah, definitely. I think this is one of the scenarios that they looked at. So they looked at attacks on critical national infrastructure kind of disruptions, attacks on that, but then also attacks on the whole electoral process. You know, we've seen previously in American and I think even in British elections, kind of foreign powers trying to use cyber and disinformation to try and influence those.

So yeah, that's definitely something that they're looking at. I think it's interesting as well, because under GDPR, political information is one of the higher categories of information so that this is actually quite a serious breach. So it's gonna be interesting to see kind of the fallout from that and remedial actions that are taken following that.

[00:12:29] Dani Middleton-Wren: Karol, what is the threat then to users? So people who have been registered on the electoral roll, is there anything they can do now to protect themselves?

[00:12:38] Karol Horosin: Yeah, so when you look at any data breach, you have to think from a perspective of an attacker of how this information can be used. So if there is a personal information related to you available online and you use it in a plain format in your passwords, this will probably be used to break it if you are a point of attack. So, as with any incident, I would recommend turn on multifactor authentication everywhere you are registered after an attack, and you think that some of the data might be hinting to your passwords, or even if you don't think it, just do it. Change your passwords in the... at least in the most critical pieces of software you have. While changing passwords, keep separate passwords to different services. And also, personal data can be used to make some financial operations on our behalf. So I would say use the regular measures, you know, about to monitor financial activity related to your name, so any credit alerts you can turn on, do them, and then set up your bank so you know that the operations that are above an amount are happening, so you're just aware of what's going on. Usually being aware helps you prevent all of stuff as well, and don't ignore those notifications. I've ignored a few times when my Apple Watch told me that my device is getting away from me, and one of those times was when someone stole my laptop. So, look at the notifications and make sure you're getting the right ones.

[00:14:12] Dani Middleton-Wren: Oh my goodness. What happened?

[00:14:14] Karol Horosin: Oh, it was just a rental car with no security at all. So, I think someone just opened the trunk and took it out of my backpack. And I got the notification on my watch, "Oh, your laptop is getting away from you." But I was too busy eating ice cream, so...

[00:14:33] Dani Middleton-Wren: It turned out it really was just running away from you.

[00:14:37] Karol Horosin: That's right.

[00:14:37] Dani Middleton-Wren: Oh my goodness. I'm definitely gonna take my Apple Watch more seriously.

[00:14:41] Cyril Noel-Tagoe: You raised a good point there in terms of alert fatigue, you see so many data breach notifications these days in the news that people are almost numb to them. But anytime there's a data breach notification, I mean, there's sites like Have I Been Pwned and others where you can check if your data was included in a data breach.

Like, when you see news on your data breach, that's the first thing you should be doing. See if you are impacted in that. And then you can start taking action. Even though it might be easy just to gloss over, like, ah, another data breach in the news.

[00:15:12] Karol Horosin: What I did after this incident, I basically reviewed all of the notifications I'm getting and turned off the ones I really don't need and started paying attention, because notification fatigue is a real thing.

[00:15:26] Dani Middleton-Wren: Definitely. So Andy, we've talked a little bit about what people can do. What can businesses do in the event of a breach, such as the electoral roll?

[00:15:35] Andy Lole: I think with an external breach of this nature, it's always worth sort of thinking, have we got good practice in place? To Karol's point, do we support two-factor authentication for our user login? The electoral roll, there's quite a lot of personal detail provided there. So is there gonna be information that attackers might be able to assemble enough of a profile to do a password reset or something through our system?

Are we aware of all of the areas of weakness in our stack that could be attacked and compromised with enough of a data set from someone else? I think this applies just as much in the public sector as in the private sector. But there are plenty of good practices here.

I stay away from saying best practices 'cause this is an area that is constantly evolving. So, it's not that long ago that it wasn't uncommon for organizations to keep passwords in clear text in their database. You know, that's thankfully now, and I hope in the majority of cases, behind us. But what that does register is that these kind of third party attacks or third party system attacks do impact us because if one of our users is reusing passwords across the sites they're members of, and there is a breach somewhere else where the password was stored in clear text, that then inadvertently puts their systems with us at risk. So it's not just about, are we secure? It's, are we secure, based on other areas of weaknesses that we have little or no control over, but can forecast? So have we done that forecasting, are we planning for the worst?

[00:17:02] Dani Middleton-Wren: Yeah. And are you kind of forecasting against that, the risks posed by your weakest link in the chain?

[00:17:08] Andy Lole: Yeah. And are you taking the time to identify that, to your point around weakest link in the chain, not just the chain that we own and manage, but the chain that we're part of in the wider ecosystem?

[00:17:19] Dani Middleton-Wren: I suppose that's where the greatest risks come from, isn't it, it's that, like you said, that which you cannot control. Great. Let's embark on topic number two. Elicit Telegram networks.

So Telegram rose to prominence as a privacy positive instant messaging app free from government and corporate surveillance. Kind of sounds like it's asking for trouble.

It's a not-for-profit entity and has over 700 million active monthly users worldwide. But its appeal as a private encrypted messaging network has made it a haven for criminals to discuss their dirty deeds and sell their tools or ill-gotten gains. So it's free from the prying eyes of law enforcement, which as we discuss this, we may want to also discuss the likes of WhatsApp, 'cause surely that is very similar set up with end-to-end encryption. And it's not monitored in any way, is it?

[00:18:11] Cyril Noel-Tagoe: Telegram, WhatsApp, signal and more.

[00:18:14] Dani Middleton-Wren: Yeah. So Telegram seems to be the one that's been particularly utilized and exploited by nefarious actors. So Cyril, I'll come to you as always to kind of set the scene for us with your principal security researcher hat on. So how prevalent do you think criminal activity and discussion on Telegram is, and well, and other encrypted apps like WhatsApp and others, and why is this, what is it that bad actors are seeing and exploiting within these apps?

[00:18:44] Cyril Noel-Tagoe: I mean, bad actors need a way to communicate with each other, like any two individuals, but they don't want others to see what they're communicating. So they will tend towards, you know, these privacy focused apps. WhatsApp's used, but WhatsApp's really used when people are looking to interact with consumers.

So stuff like phishing and other scams, they'll use WhatsApp. But I think there's a, like I definitely... people are scared that Meta might still be accessing stuff in WhatsApp. So that's not used as much as Telegram. Telegram is kind of open source and very privacy focused. So that is primarily kind of the go-to app.

[00:19:23] Karol Horosin: When you look at how the groups selling different information work, they are usually automated. Some of the channels work like marketplaces where the bot connects you with the right seller, and you just pick stuff from the menu. You want users and passwords from this organization. That's how much you want. That's what means of payment you have, and you'll get connected to the right person. So I think Telegram has a lot of strengths in that because they catered to the software development community.

[00:19:57] Cyril Noel-Tagoe: We do a lot of Telegram monitoring as part of our threat intelligence operations. So we monitor Telegram channels and groups covering everything from stolen payment cards, gift cards, combo lists that's username and password lists or even people selling accounts, people doing refund fraud. And a lot of the work we do is actually building personas and getting these personas into the right Telegram groups and channels to understand what people are talking about and using that to inform our products or share with our customers. They just need a place where they can talk privately, and you've got Telegram, you've got the deep web as well that people use for that.

[00:20:37] Dani Middleton-Wren: And what is the response like? Do you readily get nefarious actors? I keep using the word nefarious, like they're Bond villains or something. Let's stick with it. Do you get nefarious actors readily responding to you via Telegram?

[00:20:50] Cyril Noel-Tagoe: Oh yes. I mean, a lot of the Telegram actors weare talking to, they're trying to sell a service, right? So it's in their interest to respond to messages they get. As long as we don't come across as being law enforcement or security researchers or anything like that. So part of what we have to do is make sure that the personas we build are watertight enough, but once it's there, we can normally engage with them, as long as we use kind of the same slang and kind of vernacular as them, and try and get information from them.

[00:21:20] Dani Middleton-Wren: Yeah, I'm fascinated. Do you use avatars as your profile pictures? If so, what kind of avatars are we talking, to make sure you really fit into the gang?

[00:21:29] Cyril Noel-Tagoe: We've got a lot of different accounts that we use, and I'm not gonna give any information about those accounts in case someone is listening!

[00:21:39] Dani Middleton-Wren: But I think the fact that people are readily responding to you speaks to the fact that Telegram does seem like this safe space for bad actors to carry out their business.

[00:22:07] Dani Middleton-Wren: Okay. So Karol, one for you. What do you think are the challenges around building an encrypted messaging app like Telegram?

[00:22:14] Karol Horosin: When building an end-to-end encryption app, right now we have a lot of open source projects, which is good because you can copy from, but there are several features you need to think about. So one is infrastructure and that's why Meta and some of the organizations are not trusted with the data, because if your servers are in the country that has the full right to audit them at any time, even if they are encrypted, that poses a risk. So we look more favorably to apps like Signal that are registered in Switzerland when the laws are more prohibitive of government going to audit a given app. So that's a big thing. Then there's end-to-end encryption algorithm itself, which is a key of the communication. So this has been figured out. Hopefully the algorithms we know right now won't get cracked. But there still can be vulnerabilities in there. But all of this infrastructure and encryption leads to the biggest problem, which is usability.

All of us were probably annoyed at some point by losing our WhatsApp message history or other communicator messages history when we migrated phones. And when I was not aware of how that works, I was, "why can't I have it in the cloud? Why can't I migrate it easily?" And the reason was because the library of messages was fully encrypted and the keys were stored only on this device.

And the biggest annoyance for me was the fact that I couldn't move my message library from Android to iPhone because they use different storage systems, different encryptions. Right now, WhatsApp for example, allows to share messages and view them on different devices, but some of the apps don't, and that's usability sacrificed in terms of security.

So when making such an app, you have to consider this. So, you can use on interoperability. And of course there's always someone trying to attack your app. My experience from creating such outcomes when I was involved in a project, trying to develop an app connecting lawyers to their customers, so like a platform being a marketplace of legal services.

And this was our biggest problem. How to balance usability with security in there. And the trade-offs you have to sometimes make are really big and there's always someone trying to attack you. And whether that's a government with legislation or other groups or whether that's actual people that want your data out.

So these apps, as you can imagine, people feel free to speak about certain things on those apps. So any back door, any way to get this information out is a very, very tempting thing for attacker, because you can get not only information that would allow you to steal someone's money, identity, but also to highly impact their lives.

People talk about a lot of stuff on encrypted apps, send photos, send stuff they wouldn't like to see online.

[00:25:23] Dani Middleton-Wren: What kind of photos are you talking about, Karol?

[00:25:25] Karol Horosin: Um, of course, profile pictures of threat researchers.

[00:25:33] Dani Middleton-Wren: Yeah, that's really, really interesting. And I hadn't even thought about the cross operating system challenges of moving from Android to Apple and the encryption keys and what those implications are. Because once you're an Apple user, you just tend to think it's all in the cloud, it's safe, it's fine.

I can just get that from anywhere. But no, that is not the case. Okay, Andy, what have Meta had to say about things like the Online Safety Bill? Is there some unity in the encrypted messaging space and what's likely to happen to these apps?

[00:26:04] Andy Lole: So I think looking at this from the most cynical perspective, it's actually in the interests of the large platforms like Meta to encourage and maintain full end-to-end encryption 'cause that actually takes away their needs to be involved in any kind of compliance request.

If they can confidently look any kind of regulator in the eye or law enforcement services and say, not our problem. We can't help. That takes the onus off them to get involved. And whilst you could argue they are taking a political position, they don't end up in a world where in certain territories they're obliged to share information.

That's a very cynical way of looking at it, but the cost of operating these platforms is often, I think, underestimated, given that we're expecting to use them for free. WhatsApp, Facebook Messenger from, both from Meta, there's huge costs associated with that. So they're not necessarily looking to extend the cost of operation further by having compliance teams involved.

That's looking at it cynically. Looking at it from a more positive impact, Meta have certainly made plenty of noise around wanting to be engaged with compliance. Their position on a lot of these sort of things is we're happy to be regulated so long as it's constructive.

And again, it's difficult not to be cynical about that, but I think until we actually see regulators trying to push Metato get involved and really actually grasping this, it's gonna be difficult to make a fair assessment of where they're at. Personally I definitely think it is on the regulators here, that the tech world, big tech has run so far ahead of regulation across all kinds of things over the last 10 to 15 years that we do need our lawmakers to try and catch up with it, but catch up with it in a sensible way.

There is... the whole point of this conversation we're having is, is encryption good or not? In some cases the answer is obviously yes. In some cases, there is incredibly strong reason why we would want law enforcement to be able to access people's systems. So, seeing how Meta respond, and do they truly respond ,will be an interesting tell on where things might move to in the future.

[00:28:14] Dani Middleton-Wren: Yeah, that's a very good point there, Andy. So we talked about encryption from the bad actor perspective and that it's protecting people, it's protecting their activity. But what about, you know, it's being put in place for good reasons. So is the solution to, I suppose, not protecting people who are carrying out illicit activities, but making sure that people who want to keep their messages private for whatever images they might be sharing, Karol. Is there a solution? Is there like a happy medium?

[00:28:46] Andy Lole: Is an incredibly good question, to which I don't have a very good answer.

[00:28:50] Cyril Noel-Tagoe: No one has an answer to that at the moment. I mean, one of my gripes with the Online Safety Bill at the moment, so last month there was a group of cyber security and privacy researchers from a number of universities, including where I did my degree, so a few of my former professors, they sent an open letter to the government around the Online Safety Bill, and they considered kind of the two main approaches that this could take and kind of refuted them. The first being that you create some sort of back door to the encryption so that law enforcement can access it when necessary.

And I'm gonna quote what they said because they put it very succinctly and I can't do it justice without quoting it. But they said, "there is no technological solution to the contradiction inherent in both keeping information confidential from third parties and sharing that same information with third parties. Giving the state the technological means to access every private message and image implies that any actor with access to the relevant monitoring facilities will have the same access." And if you think, like I spoke earlier in this podcast about WannaCry, that is initially happened because some hacking tools from the NSA got leaked and that got used to create this big, you know, cyber attack that spread across multiple countries.

So you can't create a technological solution and hope that just a few governments have it because, A, there's a risk that others will have it, might get it, and also we can't trust what the governments might choose to do it with it in the future. And then kind of the second approach is client site scanning.

So can you scan messages before they're encrypted. And really the bill is looking at this and would kind of like to protect children from, you know, exploitation of images being sent. So to do that, you'll essentially need to have some sort of program that's scanning for these images, either comparing it to a database of known content or using self live machine learning to detect when there's new content.

So let's assume that they're comparing it to known content works, you've still got kind of the new content and using machine learning for that, no model's gonna be a hundred percent accurate. You're gonna have false positives. And what happens when those false positives, that's gonna get sent somewhere to be analyzed.

So you've essentially got this risk of someone's private images being sent across, were completely legal, completely fine private images being sent across to some government department to be inspected. And that's the most egregious violation of privacy possible. So I don't see a solution at the moment to kind of that problem of kind of keeping private messages private for just one class of people. It's either private or it's not.

[00:31:33] Dani Middleton-Wren: Yeah.

[00:31:33] Karol Horosin: Yeah, the technical solution doesn't seem to exist and we need to be sensible because what the stories behind rationale of those proposals, potential lives and livelihoods of people being saved. They're hard to argue. And I think everyone in the tech space, if there was a way to do this right, they would support it.

But, I'd like to relate this to some real world situations. So, this move from government shows that they got used to control over certain information because so much of our lives move to online now, even this podcast is recorded remotely. We need to think about our online presence as our real life presence.

So do I want to have a right to take someone I trust on the side and whisper my secrets to them? Yes, I do. And if most of my life now moved online, do I want to have a right to share those secrets confidentially? And my answer is yes. And so there's a question of boundaries. Where do we draw them? And I think privacy boundary is a really strong one.

But if there was a solution, I think there's no one that would oppose it.

[00:32:54] Dani Middleton-Wren: Yeah, I think you're quite right. And to all of your points, I think the challenge is that technology has advanced much, much faster than anybody could have fathomed even five, 10 years ago. You've got businesses like Meta who essentially have a monopoly on a lot of social media, and therefore they wield a lot of power.

It's then how do legislative bodies catch up, and do they have that power themselves, so they have the knowledge and the understanding to tackle these really big important issues that we're talking about today?

So for today, let's round up with our attack of the month. This month we are talking about residential proxy attacks. So a recent report indicates that another botnet called AVRecon, Cyril you may want to correct my pronunciation there, is leveraging compromised routers to fuel residential proxy networks. Do you want to just give us a little overview of how residential proxies work? And please feel free to correct any pronunciations, or mispronounciations, that you may have just heard.

[00:33:57] Cyril Noel-Tagoe: I mean, I say AV Recon, but you know, I might also be wrong. So, I mean, I'll explain proxy networks in general first and then look at residential ones. So a proxy network is essentially an intermediary network between the source of some internet traffic and the destination.

So let's say, Dani, I'm buying something from your shop, your shop's based in England. I'm on holiday, but I know that your shop doesn't let me buy stuff if I'm not in England. So I might use a proxy network to make it look like I'm in England. So I'll connect to a network that's based in England and then from that network connect to your shop.

And as far as your shop can tell, it's come from England. So that's kind of how a proxy network works at a very, very high level. And generally proxy networks were kind of, you know, these big ISPs or kind of server farms, which would just rent out their IPs. But increasingly we see residential proxy networks, which are proxy networks which use the rented infrastructure of kind of normal residential devices. So you know, like your laptop, your desktop, your mobile phone at home, which is going through your typical internet connection. And 'cause they're going through a typical internet connection, they look like the standard connection that, let's say a shop is expecting to receive.

They're not expecting to see lots of requests from a big data center somewhere. They're expecting to see people connected to them from their home. So that's the idea behind kind of residential proxies. And there's a lot of proxywear companies out there which basically allow you to install an app on your device and it then rents, you can rent out your network connection through that app and you can make some passive income.

So there's stuff like Honeygain, Peer2Profit, and a few others, and they generally package that. They sell that to a big residential proxy network provider, and then someone who wants to hire their address, buys or rents out that IP address. So those, that's kind of like the legitimate, or I'll say legitimate in air quotes.

I know people can't see air quotes on the podcast, but yeah. Legitimate in air quotes. You've got the illegitimate ones. So you mentioned AVRecon or AV Recon, and that one compromised people's routers with a botnet. And then it rented that out to criminals who wanted to look like they were coming from a residential network. That was actually rented out through a service called SocksEscort, which is used by a lot of carding, so people doing credit card fraud. If you're using a credit card, you need it to look like it's coming from the same place that the person normally uses it from.

So using a residential proxy is a common tactic they use to actually locate the IP address they use to the exact location, exact city that their target is from. And then you've got other botnets such as our RSocks, which was taken down last year, I believe, which compromised typical computers and smartphones and even IoT devices.

So things like, you know, you might have like a thermostat that's connected to the internet or maybe like a smart fridge or something like that. A smart TV. And basically rent out your IP through that. And then you've also got kind of proxy jacking, which is a slightly new thing, which takes advantage of these legitimate services, like Honeygain and et cetera. And, you know, like crypto jacking where people will install some malware and then mine cryptocurrency on your device and profit from that? Proxy jacking is essentially that, instead of mining cryptocurrency, now they're renting out your IP. So someone might install some malware on your device and then rent out your IP to something like one of these proxy companies and then make money off that.

[00:37:28] Dani Middleton-Wren: Thanks so much for that, Cyril. I feel like I am in the know and I'm gonna pronounce AV Recon correctly going forward. Okay, so Karol. It'd be really great to get your kind of insight into how else attackers might gain access to residential IP addresses.

[00:37:44] Karol Horosin: Oh, there's all sorts of ways that we already touched upon, but I think the biggest source right now are IoT devices. So, throughout this podcast, we've mentioned different ways, like, activist attacks. You might take part in something that you wouldn't want to. But definitely any devices that live in our homes, that's is something that often customers come to us with, because the devices often are not supported for a long time by the manufacturers. So your smart fridge may have a good and nice and smooth software, but it's not going to get updated years in the future. So unless it's zero trust and really locked down from the get-go, it will probably get hacked. And this is really hard to combat as long as we have devices that talk to internet and talk to external services.

So the easiest way for attackers right now is to get the smartest device they can find at your home and infect it and use it for their purposes. And because those devices now start to have more and more powerful hardware, CPUs, and systems that are used in regular cases, they are easier to infect because say a lot of devices now use Android.

And there's thousands and thousands of people trying to hack Android and find zero days, or any other workarounds. And even if the vulnerabilities are not fresh, the Android on the home devices won't be updated. So, the thing is, it's probably one of the easy thing to do by an attacker. There are challenges, technical challenges to using those networks. So luckily it's not as easy to coordinate some of those attacks, but once you get experts in the field that do it for years and build networks and are good about, with shifting the devices and they're smart with their usage of those networks, this is a big threat to a all of systems.

[00:40:02] Dani Middleton-Wren: And do you think that those IoT kind of devices, so whether it's your fridge or your watch or whatever, are they not maintained as well because they aren't considered to contain as much important information? Whereas say your laptop or your phone, you might be a bit more rigorous personally.

So when you get updates sent through, you'll say, right, okay, I wanna make sure I do this update because it holds all of my personal or my business information. Does that not carry through to other IoT devices?

[00:40:31] Cyril Noel-Tagoe: So I think it's partly more that the connectivity is an afterthought in these devices rather than the core product. So if you get a laptop or a phone, kind of, the software is the core product and that you expect that to be updated. And even then we see that people don't update their phones unless they have to. Right? When you've got a connected device, let's say like a smart TV, as long as you can watch TV on it and the apps you want are running, very few people are updating their TVs. Then what happens if that actual developer for that software moves on to a different project? There's no one there actually to add updates to that. After a certain amount of time, they might just discontinue the product, but it's still working for you.

You're still using it and you get all these vulnerabilities piling up in it. But then you've got some devices where they just didn't think about security. And there's a popular search engine that you can use to find IoT devices, or devices connected to the internet and the amount of devices you can see with like default credentials, so like the default username and password, or no username and password connected to the internet, even these days is astounding, really.

[00:41:40] Karol Horosin: Yeah, I think a big part of it is associated with the cost of such devices. So when you're buying a phone or a laptop, there's enough margin for the manufacturer to have a software support team running and working on fixes all the time. When you're talking about a $15 smart plug, then the margins that allow you to run software maintenance programs are much, much lower. So there's just no economic incentive to do that, and there's no legal requirement to do that as well. Even with phones, most of us using our phones longer than the software updates release cycles. I would say Apple is a good example here. They're actually maintaining their software updates for five generations but several manufacturers now brag about doing updates for three years, which, three years is not a long time now, when many people say that we reached peak smartphone. So even in devices that you would expect to have high security, they don't.

So in cheaper devices, they are just left behind and they're using out of the box setups, default credentials. As Cyril mentioned, there's just no emphasis on security and there's probably no budget for security in those projects.

[00:43:01] Cyril Noel-Tagoe: I mean, we've been talking about government legislation and kind of the Online Safety Bill, which I don't think is the right approach.

But in the topic of IoT and security, the government did publish their product security and telecommunications infrastructure act last year, which looks to address a lot of the shortcomings in IoT devices, making clear security requirements for people developing those either in the UK or for use in the UK.

So I think that's definitely a major step in the right direction from government. Obviously you'll still have the legacy problem to deal with, but a major step in the right direction.

So to sum up, what are the risks posed by residential proxies to businesses? Karol, let's come to you first.

[00:43:41] Karol Horosin: So the most obvious one is when you look at how the common filtering in security is done without the usage of smart tools that can detect attacks. When you look in an IP that gets a lot of traffic that brings you money, so you get purchases from this IP or from a set of characteristics related to this IP, then you are unlikely to banthis person. And many of the tools that are on the market wouldn't even allow you to do that. So it's hard sometimes to limit access from a residential IP that's used for proxying without affecting an actual customer. So that's a really big challenge, because even though you may know that a device coming from this household, using this set of characteristics is malicious, you might not be able or don't want to block it because you don't want to deal with the rest of the consequences because there's a real customer using those devices and you can block them as a result. So there's effect on customers and there's also effect on infrastructure and its costs. So, of course, when you are allowing more traffic that even though you know it may be malicious, you have to pay for servers infrastructure.

You are affecting the service for other customers and you have to invest more in security and do a lot more to be able to detect those. So this happens whether you have this problem or you don't have it yet, because many actors are building their strengths in residential proxy area, and if you're a big player, you'll probably get attacked with such a network at some point.

[00:45:35] Cyril Noel-Tagoe: You're probably gonna look at a residential proxy and either think it's a customer because it looks like your customers and allow it. Or do the opposite and realize that it's not a customer, it's an infrastructure similar to a customer that's being hijacked and locked up.

Both extremes are quite, quite risky. If you're allowing all residential proxy traffic, you're allowing bad actors to exploit it. And if you're blocking it all, you are blocking legitimate customers as well. I think that's the power of residential proxies compared to kind of your other proxies.

So I think that's the biggest risk, just trying to find that balance where that you're not impacting your real customers, but at the same time, not letting people piggyback off them.

[00:46:17] Dani Middleton-Wren: So would say you needed some sort of technology that could help you look at anomalous behavior, or who looks at visitors as a large group and picks out unusual behavior?

[00:46:28] Cyril Noel-Tagoe: Yeah, definitely. And I mean, one of the strategies is also, if you had knowledge of the residential proxy and you could determine things like, there's probably a clever name for this, but I'm gonna create one 'cause I don't know the name, something like a group effect, right?

So if you have one member of a residential proxy make a request compared to suddenly half of the residential proxy network making requests, one of those seems more likely to be an attack under the residential proxy compared to the other. I don't know if there's an actual formal name for that kind of analysis, but yeah, if you've got a company that can analyze both the requests, but also analyze proxy networks themselves, then that is the best way to deal with this.

[00:47:09] Dani Middleton-Wren: Great. Thank you so much and thank you to all of our fantastic panelists for that discussion today. It has been so interesting. I think we've covered a lot that we will probably dig into a lot more as the series continues, 'cause there are some recurring themes as the series has gone on so far already.

But yeah, it'll be interesting to see what pops up, because obviously this week we've seen things like the electoral roll cyber attack as we were already thinking about discussing the Risk Register. So, let's see what happens. Thank you all so much for joining us and if you would like to follow the Cybersecurity Sessions podcast on Twitter, you can find us @cybersecpod. You can also subscribe and leave a review, or you can send us any questions to podcast@netacea.Com. Thank you all for joining us and see you again next month.