It’s the topic on everyone’s minds: The new state of our world amid and after a global pandemic. Mikko Hypponen, F-Secure’s Chief Research Officer, joins Episode 38 of Cyber Security Sauna to discuss a host of COVID-19-related security topics. In this episode: Avoiding Zoom bombers, new concerns for IT environments, COVID-19 hoaxes and spam, ransomware and hospitals, APT activity, privacy concerns of coronavirus tracking apps, and how the infosec community can help.
Janne: Welcome, Mikko.
Mikko Hypponen: Well thank you, Janne, and thanks very much for having me.
Always glad to have you. In our last episode we covered some of the IT challenges with remote work. A lot of the infosec Twitter right now is about Zoom. Zoom is surging in popularity, as people look for easy ways to make conference calls. Is Zoom really all that bad?
Well no, actually it’s not. I mean, things could be much worse. And there’s very good reasons why Zoom is becoming a massive success story.
In many ways, what’s happening right now with Zoom reminds me of what happened around 2003 with Skype. When Skype came around, it wasn’t by any means the first voiceover internet or voiceover IP solution. however, it was the first which just worked. It was the first which was reliable. It worked every time, you didn’t need to configure open ports, you just installed it and you could do it.
The same thing is happening with Zoom, and that’s why it’s becoming such a massive success story, and that’s why home users and corporate users around the world are using it regardless of what they are being told about possible privacy problems or possibly security problems, and regardless of what corporate users are being told by their CIOs or CISOs or any other IT people.
So what are some of those privacy concerns?
There’s been plenty of small issues over the last two years or so. So, if you look at the CVE history of Zoom, they’ve had real security vulnerabilities in there, including code execution vulnerabilities. But they’ve been fairly responsive in figuring those out after they’ve been reported and they’ve fixed them.
Just during the pandemic there’ve been pretty big reports about how whenever you start a Zoom call, Zoom reports it to Facebook. Which was true, and they’ve already fixed that. It didn’t seem to be on purpose. And now we’ve been getting reports about cases where when you send messages over the Zoom chat, these can be used to make you click on things which will execute files on your own computers or maybe try to make your Windows computer try to log into a remote Windows computer, which can expose some of your credentials, although in encrypted format, but nevertheless.
So are there any tips for users for making the Zoom conference calls more secure?
Well, yeah. There’s things users can do, and there’s things Zoom can do. And actually, Zoom has already made an announcement that they are now enacting a feature freeze, and they are shifting all of their engineering resources to only work on trust, safety and privacy. So whatever new features they were planning on putting out next are on hold, and all their engineering, all their coders, all their testers, are trying to make the product better in regards to security and privacy.
And this reminds me of, again, what happened in 2003. Microsoft, in the 2002, 2003, 2004 time frame, was in the middle of these massively large worm outbreaks, like Code Red and Blaster and Sasser. And this was the time when Bill Gates put out the famous Trustworthy Computing open letter, or actually, a letter directed to all Microsoft employees, which of course then became public. Which basically said the same thing. They did a feature freeze inside Microsoft, and stopped all new development, and put all of their engineering resources to fix security problems.
And when you look at what’s been happening with Microsoft ever since, well, this is what the road to the security levels we enjoy today in Windows, this is where they started from. And the end result is pretty good. Windows is pretty good.
Okay. So is there anything you’d say to the users of Zoom?
Sure. Users can do things as well. There’s different kinds of things. One of them is to avoid what’s known as Zoom bombing. Zoom bombing means that you are in the middle of a meeting and then some outsider finds your meeting and just drops in. There’s reasons why people can do this. One of the reasons is because they find your meeting ID because you posted it in a public place. And meeting IDs can either be numbers, that’s nine numbers in a row, or it can be a name for some registered users. And if your meeting ID is public, if there’s no password on the meeting, anybody can join.
Another way bombers find open Zoom meetings and join in to wreak havoc is they do what’s known as war dialing for Zoom, basically trying all the Zoom meeting IDs to find meetings in progress which have no password.
So, what can you do? Use a password. Every time you have a Zoom meeting, put in a password. Even a simple password will most likely protect you against Zoom bombers. That’s what you should be doing in any case.
Another thing which is good to know is that when you have a Zoom meeting in progress, especially things like corporate meetings where you might be discussing stuff which is not public, it’s possible that people join the meeting not over a video connection, but by dialing in with a phone. And this is pretty invisible. When somebody’s actually dialing in with a phone, you might not recognize that they are in the meeting at all, so this is good to know. Realize that people who get the meeting details might be in the meeting – or an outsider who gets the meeting details might be listening in, and you won’t even realize they are in there.
A similar thing is what you say in the chat during a Zoom meeting. Assume everything you say in the public chat or in a private one-to-one chat during a Zoom meeting will eventually become public. Don’t put secrets in the chat. So that’s basically how you start securing your Zoom meetings.
Well, that’s good advice for any platform. Another thing I’ve been noticing is COVID-19-related hoaxes and spam campaigns are running rampant. Has there been anything noteworthy about those, anything that sticks out to you?
I think the thing that surprises me is that we see hoaxes again. Like, these stupid chain letters that people just keep forwarding without double checking any of the facts in them. And for some reason, these chain letter hoaxes seem to be more successful during times of crisis.
So for example, right now during the pandemic, we’ve seen multiple chain letter messages, especially inside WhatsApp, where people are trying to warn each other about things which don’t happen. A couple of noteworthy cases include the so-called “Martinelli” message, or the “Dance of the Pope” message. So these are just messages where people warn each other that if you get a video about “Dance of the Pope” it’s going to destroy your device, and BBC has put out a warning, or the police have put out a warning.
And the thing we can all do to fight hoaxes like this is to inform people around us and inform users that when you get a warning about some cyber security threat or something like that, don’t forward a warning that has no sources. These hoaxes always just have a message and they might mention a source, but there’s no link. So share links to trustworthy sources, don’t share unconfirmed rumors.
Yeah, I actually had my friend contact me about that specific message and ask me, “Is this something I should share?” And I just looked at it and I was like, “Man, this sounds like a scam.”
Yeah, and it’s a bit weird, like why do people come up with these hoaxes? Because clearly, the people who originate these hoaxes don’t benefit in any way. This is not like a phishing scam or malware. It’s just a rumor which goes around the world, and the original people who launched it, they don’t even see or know who gets to see the rumor. They don’t benefit in any way from these hoaxes. So I don’t really understand why people start these hoaxes.
Yeah. Is there anything else we’re seeing that cyber criminals are doing differently right now?
Well, yeah. We are seeing much more COVID-19 and coronavirus-themed email scams and phishing attacks and mobile messaging scams. However, this isn’t really newsworthy, in the sense that things like these happen during every big news item. When something big happens, these scammers automatically will use the themes in their scam messages and scam emails.
The last time we saw this in large scale was during the Kobe Bryant tragedy. We immediately started seeing spam and scam emails using news items about that. And right now we’re seeing tons of spam using COVID-19 messaging or themes, or phishing attacks which look like they’re coming from the World Health Organization, or text message scams which promise that you’ve been given a donation from the government to help during the tough economic times. And these are all scams. But these are no different from any other major news item. Major news items always get misused in attacks like these.
Yeah, I’m sure. So, privacy concerns and security concerns about platforms, hoaxes and scamming, spamming, are these the kind of things companies need to be worried about, now that most of their work force is remote?
Well, it is challenging times for the information security department and IT departments of companies. Because we truly are now living in the golden time of the remote workforce. This was discussed in detail in the previous Cyber Security Sauna episode, so I’m not going to touch upon that too much. But it is important to realize that it’s not just employees working from home with their laptops and mobile phones. Many employees have taken their desktops home. You think about the typical developer who used to be sitting in a cubicle in an office with a powerful desktop. Well, they’ve taken those desktops from the office and they are now in their home networks, connected to the internet.
I mean, that’s what’s happening in every company. And those systems typically don’t have VPNs installed by default, because they’ve always been inside the corporate network. And now they are in a home router which might have a password from 2009, in a Wi-Fi network with no password at all. So there’s things to be worried about, and things to be checked by IT departments when everybody has left the office.
Sure. One of the things you mentioned yourself was you called for attackers to stay away from healthcare organizations, and actually some promised to do so. What happened on that? Are we seeing any of these attacks? Are the attackers honoring their promise?
Yeah, it’s a tough topic. Hospitals have always been lucrative targets for cyber criminals. And I’m quoting a Europol paper on this, where they were studying what kind of targets ransomware gangs are targeting, and they mentioned in specific that healthcare facilities such as hospitals are considered to be profitable targets for ransomware.
And this is pretty self-evident. When you think about critical environments like hospitals, when their computing systems get shut down by ransomware, they have to get them up one way or another. And if the only way to get them up is to pay a ransom, it’s likely that they would do that.
And today’s healthcare facilities are filled with computers. If you look at footage of coronavirus clinics or hospitals, you’ll see that every hospital bed has a laptop right next to it. And when you look closer, you might actually see that many of those are running Windows 7 or something like that, systems which are already out of date and already out of support.
Healthcare facilities are quite often funded by public funding or city or county funding, which means they often have pretty strict budget policies. And when you have limited budgets, you end up running legacy machines, which means you have poorer security. And as an end result, we’ve seen dozens of medical organizations being targeted by ransomware over the last years.
Absolutely. You also envisioned the infosec community sort of uniting to hunt down attackers if they harm these life-saving medical facilities during this pandemic. One might wonder why this wouldn’t be true all the time. What sort of extra efforts would you imagine we might see?
Well, right now everybody’s sitting in their home, helpless and scared and hoping they could somehow help. And most of the people who are no longer at their offices can’t really help the heroes who are fighting this problem, the doctors and nurses and first responders. But those of us who work in infosec, well, we can help, and we want to help. I think everybody who works in cyber security or information security in one way or another is more than willing to help to fight attacks against medical organizations. And I don’t just mean hospitals, I also mean organizations which are, for example, trying to find a cure, the medical research organizations.
And this is exactly why I made the statement I did in the middle of March, targeting ransomware gangs, basically telling them to stay away from hospital targets and that they will be hunted with much more rigorous effort than ever before if they dare to target medical organizations in the middle of this pandemic, just because there’s so many more volunteers and so many more researchers in companies around the world who are very eager to put their effort into fighting scumbags who are targeting hospitals during a pandemic.
Absolutely. But you’d think that everybody would get behind these heroes who are saving lives every day. Who are the people attacking them? Is there a common profile that you’ve been able to discern?
If you look at the ransomware gangs that are most active right now, gangs like Ryuk or Maze, we know quite a bit about the organizations behind the biggest ransomware gangs, and many of them operate as a ransomware-as-a-service model. That means that we have the heads, the developers who develop the framework and the actual ransomware, but then they outsource the practical attacks to third parties. And all of this is being organized through the Dark Web websites where they run these operations. So it’s a tough problem to solve because the actual attacks might be done by third parties which had nothing to do with the actual development of the ransomware.
And it’s also important to underline that quite often, people have the vision that all of these ransomware gangs are coming from Russia. Not all of them come from there. There are gangs from all over the world. Yeah, ex-Soviet states might have a bigger percentage of ransomware gangs than the rest of the world, but it’s not just a Russian problem.
Well, on the topic of ATP groups, is it just me, or are we not seeing a lot of activity on that front right now?
Yeah, we are seeing some nation state activity as well, but it might actually be laying a little bit low at this time. It is interesting to see that we have seen some nation state attacks that are using COVID-19 messaging in trying to trick users into clicking on links or opening up attachments. So even they are jumping on the bandwagon of using big news items as the cover story.
But this is probably a little bit quieter time on that front than what we saw just a month ago. It’s crazy to think that all of this is happening in – I mean, I’m sure that March of 2020 was the longest March in history.
Absolutely. Do you think the lowered activity is because the groups are taking a breather, are they affected by the virus themselves, do you think the nation state activity has shifted towards fighting the pandemic instead of offensive actions?
We don’t really know. But that’s what I was thinking myself, that maybe some of the resources which would have been spent on doing infiltration attacks or information gathering from foreign governments are now doing something else, because everybody’s trying to fight this pandemic.
Yeah, that makes sense. So what about governments using technologies like location data for tracking people to slow the spread of coronavirus? Where are we on that?
We’re seeing pretty interesting initiatives on the app front in different countries. Singapore is an interesting example, because they have an app that the citizens can install voluntarily and then it will track their movements around the city, and then they get notified afterwards if they happen to be too close to a citizen who turned out to be COVID-19 positive later. So for example, if you were sitting in the same bus with someone who a week later turned out to be infected, you would get a notification. And that’s really valuable. That’s really useful. That’s something I’d like to have myself.
Does that have privacy implications? Of course it does, absolutely it does. But this is a tradeoff, and it’s a tradeoff I would be willing to make right now, I think most people would be willing to make right now. Being in a position where you would send your physical location to a third party at all times just so you’d know if you’re under risk later, is useful and it’s probably a good tradeoff.
The risk is if we are now granting extra rights to operators providing services like these, how do we revoke these rights when the pandemic is over?
Absolutely. And you and I, we live in Finland, and you mentioned Singapore there. Governments like these are one side of the conversation. But for example, when the country of Iran published their application like this, there were some concerns that they might not have your best interests at heart.
Yeah. And once again, when you collect large amounts of information, including medical information, location information, personally identifiable information, how do you store it? Where do you store it? How do you encrypt it? How do you delete it? These are all great questions, and we shouldn’t ignore them, even in the middle of the pandemic. So we have to take care of how information is gathered, stored and deleted.
But the most important question is, how do we prevent a situation where the special rights given to authorities right now don’t stay in place forever.
Absolutely. Nothing’s more permanent than temporary solutions.
That’s great wisdom right there, Janne.
Okay. Taking a longer view, how do you see COVID-19 changing our industry or our world?
Well, to be frank, I have no clue. I don’t really know. It’s kind of hard to forecast the future here, and I’m not even going to try. In the same sense that I’m not going to lie to myself that I would be as productive right now as I am during normal times. These are not normal times. And I had high hopes of being able to do things I haven’t been able to do now that we’re all in quarantine and we’re not being distracted by the daily office work. Well, I haven’t been as productive as I hoped, and I don’t think any of us have been. And I think it’s okay. I think we should have some mercy on ourselves, because we are not just working remote. We are working remote in the middle of a worldwide pandemic.
Well, that’s a relief. I have a copy of Anna Karenina on my nightstand, and I was supposed to read it. And I’ll tell you, I haven’t even opened it.
Yeah, well, I can spoil it for you. I can tell you who did the murder.
No spoilers, no spoilers.
Yeah, the world will change, and this is historic. This is the biggest news item of the decade, and this will be one of the biggest news items of the whole century. And we are living through it right now.
Absolutely. So on a more personal note, you’re used to being on the go, flying around the world, appearing at conferences and so forth. How’s it going for you being isolated at home?
Well, it’s very different. I haven’t been on the road for weeks. I will not be on the road for many more weeks, and it is indeed very different, because normally I’m traveling somewhere every week, maybe twice a week. And it’s great. I mean, is this what normal people do? Is this normal life? I really like it. But eventually the normal life will return, and eventually I believe I will be back on the road.
I’m sure that’ll happen. Hey, thanks for joining us.
Thanks very much, and good luck with your work, remember to wash your hands, don’t get sicko, this is Mikko.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.