For the 103rd instalment of the Kaspersky Transatlantic Cable podcast, Dave and I take a look at some important stories that you may have missed this week.
To start things off, we go to Louisiana, where a handful of schools have been attacked with malware. From there, we jump across the Atlantic to South Africa, where ransomware hit an electrical company in Johannesburg.
The next story looks north to England, where Mozilla has pointed out that a tool meant to show transparency in political ads on Facebook is not working as it should. We then discuss this week’s PSA of updating your iPhone or iPad ASAP. To close things out, we look at a new vulnerability in contactless payments.
If you enjoy the podcast, consider subscribing and sharing with your friends who need more regular updates on security. For the full text of the stories, please visit the links below:
- Louisiana’s governor declares an emergency after cyberattacks on several school systems
- Ransomware hits Johannesburg electricity supply
- Kaspersky Anti Ransomware Tool
- Tories continue Facebook ad spree as “major bugs” block transparency
- Researchers found six severe bugs in iMessage — update to iOS 12.4 right away
- Hack breaks your Visa card’s contactless limit for big frauds
Jeff: The first story today goes into a cyberattack on school systems in Louisiana.
Dave: Yeah, that’s right. The governor of Louisiana, Governor John Bel Edwards, has declared a statewide emergency, which I’m going to be honest, I’m gonna hold my hand up here and say that I’ve never seen this before. This is the first time I’ve seen a statewide emergency for some form of cyberattack. And basically, it revolves around the fact that a couple of the schools were hit by, quote, a cyberdata breach. We don’t know any more than that. I know, over in the States, there’s been a lot of publicity around several different attacks. And I think we’ve spoke about these in the past. And Jeff, we’ve talked about the Atlanta ransomware hack —
Jeff: Atlanta. Baltimore.
Dave: — and in the article, attorneys mentioned that a couple of cities in Florida have also been hit. This is the scary part. We’re in July. So you know, halfway through the year, and quoting from the article here, they have been at least 22 reported breaches of public sector networks in 2019. So far, that’s 22 reported breaches, how many others go unreported?
Jeff: A lot, probably.
Dave: Yeah, probably. So I think it’s fair to say that, you know, this stuff isn’t going away.
Jeff: I think what’s interesting about this one is that you see, by the governor calling it a state of emergency, they’re able to get more agencies helping them. So now you’ve got the Louisiana State Police, the Louisiana National Guard, the government, the Office of Homeland Security and Emergency Preparedness, the State Office of the technology service, Louisiana State University, and other agencies. So there’s a bunch of people working on this, and I think they’re trying to figure out what those next steps are and how to move forward, which I think, you know, as we’ve seen is ransomware on municipalities has become almost a niche industry, if you will, in the in the states over the past, you know, seven months or so. So I think this is something that that’s interesting. But then, you know, we look at the second story today, you know, similar to the city being taken over, Johannesburg’s electrical supply was hit with a ransomware attack.
Dave: All in the same week, we see Louisiana hit by cyberattack. And then in the same week, obviously not related. But in the same week, we see a major electricity supply in South Africa’s largest city, Johannesburg, hit by ransomware attack, which led basically to people not being able to pay bills. And there’s a couple of blackouts. And I think it affected the response times of the engineers fixing the blackout. So I think it’s a difficult one, isn’t it? Because I do wonder if there are criminal gangs out there, specifically targeting municipalities and cities, and state-run networks, because I think they probably know that they’re a bit of a soft target, you know, you’ve got multiple endpoints, some of them running Windows XP, a lot of them not having antivirus software, you know, they’re really easy targets for attackers to hit. So originally, what I probably thought was something, you know, they were just sending this stuff out en masse, I wonder now, if some of the attackers are specifically targeting networks like this, because it’s easy.
Jeff: I think, when you’re looking at it, this kind of gets to the fact that, you know, some of these municipalities paying and now it starts to set the ante up for people where, you know, I think, you know, use the military type of term of “shock and awe,” where you hit something with the maximum impact. And, you know, I think when you look at something like power, it makes it easy for people to want to, you know, pay the ransom, and get everything back up and running, because this is really going to impact people’s way of living. And I think that’s one of those things where you start to look at it. And now that’s, that’s something where the pressure comes on them, where it’s not just the pressure of paying the ransomware and getting the data back. But in a case like this, you’ve got pressure on you based upon your customers who are looking for, for air conditioning, probably or food or, you know, all those types of things, you know, start to add up and it becomes a matter of what’s collateral damage, and what’s the cause and effect, and when you look, you know, getting back to the first story about the some of the ransoms that were paid in the US, you’re looking at almost a million bucks in some areas, I think.
Dave: Yeah, I was I was trying to remember there was a story that we covered a couple of weeks ago, and it was specifically 600,000 US dollars, wasn’t it that they paid?
Jeff: So you’re paying over half a million US dollars.
Dave: Yeah, that’s one attack. You know, that those attackers are rubbing their hands together?
Jeff: Because is easy money. Now, somebody’s mom’s basement is up in this jammy jam.
Dave: Yeah, I think that’s, that’s true. And I do think that these networks have been hit specifically because the attackers know that they’re soft networks. So you know, why, why go for small hits, like Nan and Gran down the road, who might have a few thousand pounds stuffed away somewhere in their laptop, you infect their laptop, ransomware, you might get something off the back of it, you might not, but if they hit some of these bigger networks, we do see that, as you said, you know, we are seeing cities and companies starting to pay now. So it’s just one of those things, and I think it’s just going to snowball, if you don’t stand up against it.
Jeff: That may become a major trend. And I think when you look at this, you know, it’s really one of those things where, you know, municipalities using it, like there are tools there to get this out. So if you haven’t hit with ransomware look at a site like no more ransom or, or install something like the Kaspersky antiransomware tool or KART; we’ll link to that below. But that’s something that watches when a system changes and it’s able to roll things back. Make sure you backup your data to so everybody get up on this city’s nan-and-granddads, as Dave is calling them now. Don’t pay the ransom.
Dave: So you mentioned Facebook, and that is a nice interlude into our next story. So the next story is from the Guardian, talking about how the Tories — or conservatives, whatever you want to call them — are continuing a Facebook ad spree as a major bug has been found — sorry, I meant major bugs, multiple — which is blocking at all which Facebook has, has created a political transparency tool which, you know, after the whole thing with the Cambridge Analytica and the shockwave from that happened. Facebook developed some tools, one of which is specifically around political adverts inside Facebook. Turns out there’s multiple bugs and problems with it. So yeah, it’s a developing story, shall we say, because I think Facebook have only just been alerted about this, these bugs by Mozilla, who found them. So hopefully Facebook do fix them.
Jeff: I think it’s interesting. And I think this gets back to that point of, you know, there’s no way I don’t think there’s going to be a full way for political ads to be blocked on a Facebook or have that true transparency, or, you know, who’s paying for what and I think in looking at this one, you know, it seems a lot of them with the party now having to test you know, new messaging and, or us and things like that. So I could see why they’re running a lot. But the part that’s interesting is that the tool’s not working. So outside of the fact of where it’s able to say, Hey, this is what’s going on here. Here’s who’s paying for the ads. Yeah, you know, who’s paying for ’em, but at this point, they’re not able to, you know, show you exactly what ads are being targeting, which people —
Dave: — good point there, because there’s a few stories going around the UK at the moment, and I’m not pointing fingers or anything like that, you know, I don’t want to turn this into political podcast. But there’s a lot of stories going around at the moment about, like dark Facebook ads and, and political ads, and who’s paying for them and, and who’s ultimately responsible for a particular advert inside a social network? And, you know, it’s an interesting point, because we are seeing a lot of ads, which are targeted to certain specific groups, but the person who’s paying for the ad, or the company, or the group of people are paying for the it sometimes diluted. And I think this is, like I said, at the start, due to Cambridge Analytica, and it’s great to see that people are taking a lot more interested in where these adverts are coming from and who’s paying for them? Because I think prior to Cambridge Analytica and the, the fallout from that, nobody really cared, right?
Jeff: If you want to get a good watch into, like the Facebook ads, The Great Hack on Netflix is a really good documentary on the Cambridge Analytica whistle-blowing and things like that. So, really an interesting watch. But I think when it comes to this, is, I’m gonna say it because we’re not gonna turn political. But I think up with the last two elections, where you had Take Back The Power and Make America Great Again, you know, those, those seven words on there, you know, pretty much caused a crap storm when it comes to, you know, what people are doing with the ads and where people are wondering if people have been manipulated by adverts that they’re seeing within tools like Facebook. And, you know, I think what people have started to realize with this is that people are able to be manipulated when they start seeing propaganda. And the question becomes, is, and I think part of it is, you know, one, both sides, I think both sides of the pond, your side, my side had very charged feelings, you know, about both Brexit and Trump being elected. So when you look at those times, something’s you’ve got another half of the population who wants something completely different. And now you’ve got this powder keg sitting here. And now you’ve got both sides sitting there saying, How are people so stupid to be duped by this? or Was I influenced by these types of ads? So people are wanting to know more, which there’s still not clarity really into. And then you add in the whole level of the Russian troll farms and everything and then it’s like Oh, —
Dave: — it’s a certain storm.
Jeff: Yeah, crap storm. Let’s keep it PG here.
Dave: Yeah, I think you know, you’re right. But he doesn’t help the, you know, nowadays, and I do think social media is, is partly if not almost entirely responsible for this, that we’re seeing people, you know, on the left moving further left, and people on the right moving right. And it’s like, say, I don’t want to get into too much into politics. But I think, you know, we talked about bubbles. And people have their little silos, sort of Facebook bubble, and everyone inside that Facebook bubble speaks the same language and talks about the same things, and anyone with a different ideology, so to speak, never tend to turn up in that bubble. So, you know, we kind of drift apart and instead of people on the left and right, and in the center talking together, we it’s just like, I think Stephen Fry actually put it best. He said that you have these canyons on the left and right, and they’re shouting at each other. And just normal people are in the bottom of the canyon, just watching these people shouting at each other. I think that’s where social media needs to sort of pop these bubbles.
Jeff: I think it’s really right about here. But I think when you start to look at it, you know, those peaks and valleys that you’re talking about, as you start to look at this is where the ads come in and are able to get to that manipulation point, if you will, and ad copy testing is nothing new. Image testing isn’t anything that’s right. But you know, instead of being like a display ad, where you’re shooting a shotgun at the wall, hoping something sticks in the targeting to do within the social networks, and this is why I think people care some is you can now make what used to be that shotgun blast into a certain surgical slice.
Dave: Naturally. I know we’ve gone to the story, but I know. I know, this story kind of makes it sound a little bit dirty. What conservatives party is doing regarding targeted adverts, but it’s nothing that Labour doesn’t do is nothing that the Brexit point doesn’t do is nothing that Lib Dems does don’t do it, you know, they hold doing it.
Jeff: It’s a matter of how the stories were in our who’s seeing the ads and looking at it. You can you can replace the political party with anything. Yeah, you can, you can replace that with that ad that I shared the other day with the gamer for president of us.
Dave: That did actually genuinely make me laugh out loud.
Jeff: Oh, it’s my favorite.
Dave: Can we share a link in the description? I know it’s not exactly PG, but —
Jeff: Yeah, sure. LinkedIn.
Dave: Yeah, let’s do that. Anyway, shall we jump over to the last couple of stories?
Jeff: I want to give the story from Thomas Webster a little bit of time. So I want to jump into one that we’re going to link to Kaspersky Daily here. And now this is something that’s more of a PSA for everybody. If you use an iPhone, if you use an iPad, you should probably update it right now to 12.4, the new version, because six critical bugs have been disclosed and fixed within the operating system.
Dave: That’s right. Yeah, I don’t think I don’t think 12.4 completely fixes all of the six bugs.
Jeff: But these are six critical vulnerabilities that were found by Google’s zero day projects, Project Zero. Yeah. So one of the things that’s needed here is there’s some pretty bad bugs that To be honest, if these bugs were paid for on the on the dark web are sold to some of these companies that buy vulnerabilities to iPhones to Apple products. They could range between 5 and 10 million bucks. So you’re looking at something that’s not a small bug on there. So update your devices. And now just to give the story the proper time, Dave, let’s talk about the last story here.
Dave: Yeah, this is from Thomas Brewster over on Forbes talking about how I’m I found this story fascinating he’s talking about how a hack can break the Visa card contactless limit. So we all have you know, I think most of us anyway, have contact with cards these days. You just pop into a store spend up to 30 pounds, I don’t know what it is in the States, probably about $50, something like that. And you can just put no need for PIN numbers, no need to put your cars into a machine or anything, you just tap and then you’re off. Turns out that a couple of white hat hackers have been able to make a workaround to be able to break the 30 pound limit. So basically, I think they did it. Yeah, here we are on their own cards. They make contactless payments as high as 101 pound, though is possible, more stolen, just with just one tap. Now, they don’t go into the specifics, for obvious reasons. But they do talk about how he’s done a basically a man-in-the-middle attack. And they place a piece of software in between the card and the reader, which allows them to alter what’s being said, really concerning, I think and Visa have addressed it, but I don’t think there’s a fix ready yet.
Jeff: I think if there’s one thing to look at in this week’s stories, I really think that you guys should check out the video from it. The video is actually quite interesting on here. And you know, I think what makes this pop up is a really eye-opening story is it seems every time a security features put in place, there’s a bad guy who’s got a way around it. And yes, these guys are white hats showing how to do it. But I think at the same time showcasing how you can get around this is the part that should be eye opening to people.
Dave: That’s 100% correct. I think it’s not going to be long before an intuitive, ingenious, shall we say black hat hacker or just someone who wants to make a little bit of money figures out how to do this. I think that you know this. For us as users of the contactless cards it’s a really, really simple fix. It does mean spending a little bit of money, but I think you know, you weighed out versus potentially losing a slot of money, it’s worth the risk is worth the payment, which is you can get a little — I have one, actually — it’s a little wallet, which is has got RFID blocker inside the wallet. So you can actually put all your cards inside your normal wallet, it looks exactly the same as any other wallet, but it blocks any sort of RFID payments. So if anyone wants to come along and try and tap your wallet to try and take some money off, which we’ve seen videos on before people have been walking around with content with card machines trying to swipe people’s wallets, they won’t be able to do it because there’ll be no way for them to get by the barrier of the wallet. So definitely worth it. You can also buy little card holders, right, which you put all your cards inside in the same thing.
Jeff: And then we give them away conferences.
Dave: Yeah, we do. Yeah. What was a little plastic things?
Jeff: Yeah, I remember had to bring like, I think like 10 boxes of those things to SAS a few years ago. Definitely. Yeah, I had to bring two releases to Cancun. And like one of them was like, literally, like, try weighing your bags out with these things on there?
Dave: Well, I mean, one on the road. They’re quite light. But you know, it’s plastic and some sort of lightweight.
Dave: But I think Visa’s, I acknowledge the hack, but they’re basically saying that it’s not scalable. It’s not a scalable fraud.
Jeff: I think I think that’s been the issue in the past, when you’ve looked at some of these, you know, hacks in the past when you’ve seen them, they haven’t been at scale. So again, it’s a good vulnerability to be aware of. But how scalable is it? It only takes that one time to lose your money, though. So I think it’s better to be safe than sorry, get one of those RFID tracking wallets.
And with that, this week’s edition of the Transatlantic Cable podcast has come to an end. If you liked what you heard, please give us a good rating on iTunes or share it with your friends. Sharing is caring people. If you think we got something wrong, there’s a story we should cover, hit us up on Twitter @Kaspersky or on our Facebook page. And we will try to cover that or address your concerns in a future episode. So, until next time, have a good one guys.
[Automated transcription lightly edited]