Episode Transcript
[00:00:00]
Matthew: Welcome to the Security Serengeti. We're your hosts. It's David Schwaninger and Matthew Keener. Stop what you're doing. Subscribe to our podcast. Leave us a lovely five star view and follow us at Serengeti sec on Twitter. We're
David: to talk about some cybersecurity and technology news headlines, and hopefully provide some insight, analysis, and product application that you can help,
that you
can take into the office to help protect your
Matthew: organization.
Views and opinions expressed in this podcast are Irish alone and do not reflect the views or opinions of our employers.
David: Hey Matt, did you hear that Satoshi Nakamoto is getting divorced?
Matthew: What? I can't believe it.
David: Yeah, his wife served him notice via NFT.
Matthew: Oh, it's okay. I'm sure he can resell it for a bunch.
Just for any listeners I apologize for any background noise. We are had some dinner and we're recording this after dinner and it was nice and quiet when we were eating dinner. And then everybody came in.
David: Yeah. Maybe next time we should record, first eat after.
Matthew: Maybe we should actually. You know what, you're probably right though because we come at five o'clock.
Five o'clock is just naturally a quieter time, and as [00:01:00] the evening goes on it gets busier and busier, we probably should.
David: Yeah, because the old people are done, and the young people
Matthew: haven't started. The young people haven't started? It's a sweet spot. Alright. title here is, Here's Some Bitcoin. Oh, and you've been served from Krebs.
Their summary sentence is perfect, so I'm going to go ahead and quote it here. Quote, A California man who lost 100, sim swapping attack. Is suing the unknown holder of a cryptocurrency wallet that harbors his stolen funds, end quote. Apparently this is the first time that a message in a blockchain has been served, used to serve notice.
Although there's an example later, but the one later was an NFT, right? Yeah. Okay, so this is the first time, alright. So it is, Kind of sad that they weren't able to get any help from law enforcement, so they had to do this themselves.
David: Why, you expect law enforcement to do some work?
Matthew: Ridiculous. You're right, 100, 000 was not enough money to get them interested.
David: No, I mean, they wouldn't even put it on their pants for that.
Matthew: I regularly put on my pants for 20.
David: bucks. I'd take them off for [00:02:00] 15. That's why they
Matthew: That's when they give me 20 to put them back on.
David: a
company,
Matthew: Work with him that specializes in tracing crypto. They told him what wallet the crypto ended up in. And it's currently unknown if the attacker still holds the wallet or someone else or the government.
They may have seized it. Because the address is apparently involved in some type of federal investigation, but it's unknown how or if it has already been seized. So, he sent the address, a hundred dollars in bitcoin. Why a hundred dollars
David: I know, like I said, I would send him a buck.
Matthew: Yeah,
Yeah. And attach the summons to it as part of the metadata in the transaction. Maybe the 100 was enough to make them pay attention. They're like, oh, where did this come from?
David: Oh, I don't know.
Matthew: know. I mean, if they're, if they're making tons of
David: of money stealing from people, maybe they wouldn't even look at a hundred bucks either.
Matthew: Like, what is this? I don't know.
David: It's not even worth looking at.
I
Matthew: personally have decided that this is the type of email protection that I want. If you had to pay me to send me an email. That would
David: be awesome.
Matthew: I know, right? [00:03:00] So I went to check. I was like, oh, has anybody built this yet? Email, but on the blockchain, so you have to pay a fee to send someone an email.
And someone has. I'll include the link to the GitHub. But someone wrote a simple app that puts all of your email. Well, it puts the headers on the blockchain. It doesn't put the content of the email on the blockchain. That could be a problem. But So I,
I kind of like this idea for email, like if it's a penny or something.
David: Yeah. I'd
Matthew: pay a penny to email my friends. I'd, you know, put like five bucks into it. I email rarely enough that five bucks for 500 emails would probably last me the year.
David: Yeah, I mean, actually, I mean, if you're talking about digital currency like Bitcoin, you could do fractions of a penny, because that's infinitely divisible, so you wouldn't even have to do a full penny.
Matthew: That makes sense. Because It just has to be, and it's kind of like the idea of slowing down logins by one second. Like that's not enough for a human to get annoyed, but a bot, like, if you're sending out a million phishing emails and you have to pay 10, 000 for it, you're not gonna do it. Right.
David: Well, that's like, there [00:04:00] used to be the idea about when you know, spam really started getting, going in the early 2000s.
Matthew: about
David: idea about a proof of work
Matthew: to
David: send email.
Matthew: that makes sense.
David: So, you couldn't get the, it would just take this, so much effort. You know, in order to send an email that vast amounts of email simply would not be worthwhile for the spammers to send.
Matthew: See, and that works for real companies, too. I don't want to see 90 percent of the shit they send me.
Make them really, like, send me the stuff that I care about. You're going to
David: put MailChimp out of business.
Matthew: Good riddance. So, I actually, I'm curious if this is a worthwhile way of phishing wallet holders. Sure, it costs money to send something, but you can pretty sure they You can be pretty sure that they have money because you could see, you know, the transactions in the wallet potentially. You could definitely target it to folks that had a lot of money and it would be very very specific because you can send it to a Bitcoin wallet knowing they have Bitcoin and send them a link that would [00:05:00] you know, connect a wallet or something and drain their wallet. I don't know. This is the Bitcoin police.
Please
click this link to, I don't know.
David: Wait, so you're talking about sending a malicious link via the blockchain?
Matthew: blockchain? Exactly. Of course, the problem is that link is there forevermore now. Oh boy, a bunch of kids just sat down next to us. This might be a terrible idea. Maybe we should stop recording the restaurant.
David: recording the rest of it.
Well, this might be the last one. We'll see how bad this gets.
Matthew: We'll see
David: if the AI
Matthew: AI can really clean this up.
David: Whew! If it's not magical enough, then we may have to
Matthew: Yeah, re record or something. That's fine. So I'm not sure how the recovery would work here exactly. The money is in a wallet, sure, but if the wallet's not in an exchange, how do you, how do you get it?
David: Yeah, well, in the article it's quoted saying, experts say the money could be seized by cryptocurrency exchanges if the thieves ever tried to move it or spend it. So it seems like if they ever tried to get it out of Bitcoin and into cash, then it [00:06:00] could be confiscated at that time.
Matthew: Yeah, how awful, they can only use the Bitcoin on black market stuff.
Actually, that's, that's almost a character like passing marked bills.
David: hmm. if
Matthew: you have, if you identify a single Bitcoin, and they subdivide it into two smaller, two half Bitcoins, are those both traceable back? Those are both traceable because it's all tracked. So those are both traceable back to that single Bitcoin.
So you could use it to buy something on one of the dark web markets. And then the person who bought it then goes try to cash it out, and they get nabbed. Potentially.
I don't
know. I don't know. This is the same problem as always. Crime is easy, cashing out is hard. But the problem is you'd never get an actual criminal.
They'll probably use some kind of mule to cash things out, and they'll get nabbed.
David: hmm. Right. It's like
Matthew: drug dealing. Yep. Yep. Same thing. So, I expect in this case, since Bitcoin and many crypto coins are trackable, you could somehow mark this transaction as stolen and any further uses of the crypto from that transaction would be [00:07:00] flagged so that if it ever pops up in an exchange it could be seized maybe?
I don't know. So Krebs mentioned he had money seized as part of the Liberty Reserve bust back in 2013, which was an early digital currency. And it took him seven years before anyone in the Justice Department even got back to him about getting his money back. They said that it took them that long to get access to it through the IRS.
I don't know if I believe that or not. Why was the
David: the IRS involved?
Matthew: I don't know.
David: They were the original They
Matthew: were probably the original law enforcement
David: on whatever the case was, probably.
Matthew: They said it was laundering money. Yeah, so that would have been I actually know that would have been Treasury Department.
I don't know. I know. Maybe I might be misremembering it. I didn't put IRS in the notes. It's possible that I just made that up like an AI hallucinating. You can't screw a dead cat without hearing it from the law enforcement agency. It's true. It's true. So, now the question is, is if they even return it.
I mean, we've talked before about how they don't really care if the amount stolen is under a certain threshold, which, depending [00:08:00] on whether you're talking about local police or federal police, is either 10k or 100k. The government definitely has a history of just auctioning off seized Bitcoin whenever they seize a dark web market.
I don't know if the government's ever actually returned any stolen crypto.
David: Well, why would it?
Matthew: So I did look it up, and crypto is considered property, and if it's involved in a crime, they seize it, and they sell it, unless somebody demands its return and can show it's theirs. Which is, show it's theirs part, actually, is probably not too hard with crypto.
Well, it's on the blockchain, so you can
David: You just have to
Matthew: to show that you control the wallet. I bet they just don't want to, I think the problem is, For them, it's free money. Well, yeah, yeah. Well, I'm saying that most of the people that have crypto are probably people that are focused on privacy. Or people that are doing, you know, purchases that might be illegal or semi illegal on the dark web.
So when they seize the money, nobody wants to come up and be like, oh yes, that's mine. And then they go look and they're like, oh, but I see you also spent some money here. And you also Oh, so they don't,
David: just don't want [00:09:00] this the government turning their spotlight on them
Matthew: Yeah, I think, I think, potentially.
David: a Quote from Mark rash a former federal prosecutor at the US Justice Department And he said the government doesn't need the crypto as evidence but in a forfeiture action The money goes to the government.
Matthew: Isn't that nice? Isn't that weird? Did you see the I recently saw the government.
There was a post on Twitter about the FBI seized a like a private safe deposit box company. Have you ever seen, there's a place called The Vault near me. It's in a storefront. It's next to a coffee shop. It's apparently like bank style vaults. Like bank style, like, what are those, what are those boxes?
Safe deposit boxes. Yeah.
David: yeah.
Matthew: So apparently they were told they could not write a warrant for the contents of those safe deposit boxes because it belonged to a bunch of other people. So they wrote the warrant for the entire
David: [00:10:00] operation,
then
Matthew: they had to quote unquote inventory the contents of the boxes and they found millions of dollars in gold and silver and jewelry and they seized all of it.
And the Twitter post that I saw about this was from a lawyer who was suing the government to get it back. And he's like, we finally won the lawsuit to get it back. They were just going to keep it and one of the only reasons they got it back. Is they found a piece of, they found a document from the government that said they were planning on seizing it in order to force forfeiture.
Like the government, like, wrote this down. So basically the government wrote down, hey, we're gonna steal this money.
David: And they
Matthew: And then they went out and stole it. And got caught. I'm sure there were no consequences for any of the agents
David: involved. Oh,
Matthew: No. I mean, this is why there are several states,
David: that are They're fighting the civil forfeiture,
Matthew: Civil forfeiture
David: laws
Matthew: cause,
David: Under civil forfeiture, civil asset forfeiture, the government can see
Matthew: [00:11:00] something and
David: just claim
Matthew: that it may be related to a crime and then you have to prove
David: that it's not related to the crime in order to get your property back.
Matthew: State of Virginia versus 2004 Honda Accord.
Yes.
David: Or and
Matthew: the whole nefarious thing about that is, if they
David: They find, you know, Matt's walking down
Matthew: the street, they do a stop and
David: frisk on Matt, and he's got 5, 000 on him. Oh,
Matthew: Oh, they just take the money, yeah. Because he was going to go and buy a motorcycle with it. It's much cooler. And, so
David: they've seized it now, and they're like, Hey, well, you can
Matthew: go through the court system to get your 5,
David: 5, 000 pack, which is gonna
Matthew: cost you 15, 000 to 20, 000.
And lawyer fees, yeah.
David: So, good luck with that.
Matthew: It's just
David: outright theft
Matthew: because people can't afford to get their, to go through the effort to
David: get the money back.
Matthew: I mean, the
David: amount of money they would have to steal from
Matthew: in order to make it worthwhile
David: for you even to fight the fact that
Matthew: they stole it from you, would have to be big.
Yeah. Unless, you happen [00:12:00] to cross lawyers that would do it pro bono. Yeah, but then they're going to take a percentage of it. They're going to take like 20 or 40 No, pro bono is free. Yeah, but I thought, I thought pro bono was They get paid out of the proceeds.
David: I think, I think Pro Bono
Matthew: is free. But why would they do that?
Why would they do it just completely for free? They do it for charities or
David: whatever kind of thing.
Matthew: If you've got 5, 000 in cash. They're probably not going to do charity work for you.
David: No, but I'm just saying
Matthew: that,
David: you know, there are lawyers that do, do work for
Matthew: for free
David: they think the effort, or the, the cause for which they're doing the work is worth it.
Matthew: There probably is one that's dedicated to going again.
I donate
money, but I can only afford to donate like an hour of lawyer time.
David: Yeah. So, so anyway, that's, you know, that's a lot of theft from the government, just stealing your money and
Matthew: saying, you've proved to
David: this was not involved in a crime, instead of having some, instead of the way that the Constitution is written and saying, you have to first
Matthew: reasonably
David: to a judge why you think
something was involved in a crime and what you're going to take and all that. Yeah, but [00:13:00] Fourth Amendment like most of the cons, the amendments to the Constitution, they don't, they don't mean anything anymore.
Matthew: Ah.
David: On that happy note, there was, there was, there was an interesting thing that was in the article that actually predated this This event where a, a law firm in November of 2022.
In the Southern District of Florida,
Had the court authorize the service of a lawsuit seeking the recovery of stolen digital assets by way of a non fungible token, or NFT,
Matthew: containing
David: text of the complaint and summons, as well as a hyperlink to the website created by the plaintiffs containing all pleas and orders in the action. So it's like a lawsuit as art now.
Matthew: You know, the blockchain can't contain too much information, right? It can only contain a certain number of characters. I was actually just thinking, like, there's probably so many good places we could use blockchains for, [00:14:00] like, posting stuff publicly. Like all lawsuits and all summons and all stuff like that going up on the blockchain, so it can't be changed afterwards and Well, you could
David: use a blockchain for that. You don't have to use the Bitcoin blockchain,
Matthew: Oh, yeah, that would be more expensive. I would do a specially constructed one that Right. Like, like a interplanetary file system, maybe. that now makes me wonder, like, an interplanetary file system, what's stored on the blockchain? Is the actual data stored in the blockchain, or is the location of the data stored in the blockchain?
Well,
David: it's a finite amount, I assume it's
Matthew: the location
David: the blockchain.
Matthew: So, what you're,
David: what you're talking about
Matthew: Is you put the data
David: on the,
Matthew: on the, the planetary file system, so that that's immutable,
David: Right, and then you link to it from the blockchain, so you've got two things that are permanent.
You've got the link which is on the blockchain, and then the data which is on the near planetary file
Matthew: system, the
David: The IPF.
Matthew: because that's what I'd want, is I'd want like a durable, permanent record of, you know, like government minutes, government, it's like anything you've got to do from the government, like every government document exists in the open somewhere [00:15:00] that's not classified, you know, all these lawsuits, all these
David: Yeah, I mean, it'd probably be worthwhile because just the volume to have like one blockchain per
Matthew: state or
David: something like that just to make it
Matthew: easier to, to, to
David: manage.
Matthew: I can also see voting being done on the blockchain too, because again, your vote is preserved forever and you can go look at it. Of course, the problem is everybody else could look at it too. So it'd need to be encrypted and you'd have to have your own key so you can go validate your vote. Or you could give somebody else your key, so they could validate your vote for you.
That'd be kind of interesting.
David: Yeah, that could all be worked out.
Matthew: I mean, if someone put
David: amount of effort into, into, you know, if someone actually sat down and worked through it, I'm sure that's, that could easily be done in a way that still was anonymous and yet secure
Matthew: verifiable.
David: and verifiable.
Matthew: thinking is that the vote, like, like let's say a presidential election, the name of the person you voted for Would be on the blockchain unencrypted, so that anybody could just count the number of votes on the blockchain.
The
David: of times that name appears. Yeah, [00:16:00] yeah.
Matthew: and be like, all right, we have a definitive count. And then there, your name would be encrypted in there, or your like, identifier number or something, you've got like a little identifier number, so that way you can look at yours and be like, yes, mine is correct.
David: Or, I mean, actually you just have a public key signature on it.
Matthew: Oh, yeah, yeah.
David: So you just sign it with your, your, your private key.
Matthew: Which nobody has, except for. You know, technical, technical people.
David: I mean, you, you sign it with your public key, I mean, and
Matthew: Yeah, you check it with your private key. I guess the only, I guess that still wouldn't guard though, against people just adding make believe people.
That would validate that your vote's in there, but that doesn't guarantee that there's not made up people in there. Man. Alright, anyways, getting distracted. A little bit off topic. A little bit.
David: Alright, so moving on to the next article. After hack, X claims SEC failed to use two factor authentication.
And this comes to us from CyberScoop.
don't
Matthew: we've had any articles from CyberSkoo before, have we?
David: Edwin. I don't know.
Matthew: We've
David: a couple [00:17:00] episodes now, so I can't remember
Matthew: that
David: article that we've talked
Matthew: talked have everyone memorized? Oh my gosh.
David: Yeah, well that's why you've got to get the transcripts done so that we
Matthew: can have AI do all that work for us.
David: So the Securities and Exchange Commission their X account, or Twitter account was hijacked.
Their Shitter account?
Matthew: Yeah, cause it's X itter, and X is pronounced she. So, it's shitter. Nice.
David: That's good.
Matthew: I heard it somewhere, I can't claim
David: You can't claim you figured it out?
Matthew: Can't claim I figured it out myself.
David: But Twitter says this happened because SEC did not have MFA set up on their account.
But I think there's an issue with that, and we'll get into that here in a couple of minutes. But the SEC's account posted that the agency had approved the trading of Bitcoin exchange traded funds, ETFs, on Tuesday.
But the SEC chairman Gary Gensler said that the statement was false and the Twitter account was compromised. Now, after that happened, Twitter made an [00:18:00] official statement which is, quote, Based on our investigation, the compromise was not due to any breach of X's systems,
Matthew: but rather due to an
David: an unidentified individual obtaining control over a phone number associated with the at SEC gov account through a third party.
We can also confirm the account did not have two factor authentication enabled at the time the account was compromised.
Matthew: We
David: encourage all users to enable this extra layer of security. End quote.
Matthew: So they, so two factor authentication was not enabled, but they blamed it even though the attacker got in?
David: That's what doesn't
Matthew: make sense. Because it
David: kind of sounds like there's a swim swapping thing taking place, but
Matthew: if
David: if that is true, doesn't that mean that they had SMS authentication, two factor authentication turned on for the account, and then someone sim swapped to get the phone number to get the SMS two factor authentication sent to it.
Because unless [00:19:00] Control over phone number equates to control over a Twitter account.
Matthew: That's how it reads. Right. That's wild.
David: That's why I said it doesn't make sense what
Matthew: what
David: X is saying
Matthew: That SEC did. If I can figure out Taylor Swift's phone number, does that mean I can get access to Taylor Swift's Twitter account?
David: Yeah, but not her billion dollars.
Matthew: Well, I mean, who knows what she's got in her. So I can, I can, I can tweet a Bitcoin scam to all of her billion followers and if Tay Tay says it's true. I would say
David: you got a hold of her her phone number. It would be better to
Matthew: to
David: access her bank account via that two factor authentication token
Matthew: than her Twitter account.
Fine, fine. I
David: you think too small. Fair enough.
Matthew: Just
log into her bank account, and it's like one billion dollars in her checking account. I'm like, Jesus Christ, doesn't she invest anything? She's just holding on to it. She's holding on to it in cash.
David: Well, hopefully
Matthew: she didn't invest that
David: the Silicon Valley
Matthew: and be like, Oh, here's your two hundred thousand dollars from your billion.
[00:20:00] And it's gone. And it's gone.
So yeah, that whole statement by Twitter does not make sense to me
David: that simply control over the phone equated to taking over the Twitter account.
Because, like I said, either
Matthew: you can
David: access, you, you,
Matthew: just controlling the phone number controls the Twitter account, but if they did
David: not have two factor
Matthew: authentication token
Or two factor
David: authentication set up for that account, then SIM swapping doesn't
Matthew: even make any sense.
David: So,
Matthew: it seems to me,
David: more like they did have two factor authentication set up,
Matthew: but it was SMS. And the account was compromised that way. Because, you're
David: also talking about a government account. Does
Matthew: that mean they were, they were just passing the phone around? Or only one person
David: post on
Matthew: Twitter?
David: Because they had the official phone that
Matthew: do the voting.
That just doesn't make any sense. Because you think that the, the government SEC account, they would be doing their posting, not from a phone, but from a computer where they would log in
[00:21:00] Via some shared credential or whatever to SEC account. Maybe they're on a modem. laughter I don't know.
I don't think that works that way, but that's a funny thought. And, and, and what's, what's annoying me, what seems annoying about this whole thing is, only you and
David: I seem to
Matthew: to be
David: questioning this. All the articles that I read,
Matthew: because I went through like two or three saying, Nah, someone else has said something, or X misspoke, or, you know, somebody in the news would question this, but nobody just reiterated what
David: X said,
Matthew: blaming
David: SEC
Matthew: SEC for not having
David: factor
Matthew: authentication on them.
But they did
David: point out that
Matthew: the DHS
Cybersecurity Infrastructure Security
David: CISA,
Matthew: CISA
David: put out a Capacity Enhancement Guide. For social media account protection.
Matthew: I am enhanced. You wish you were enhanced.
David: So they recommend in
Matthew: this account that they, or
David: recommending this guy,
Matthew: that they use MFA.
David: but that's
Matthew: not a regulation and it's
David: not a requirement. It's simply
Matthew: a recommendation. That's weird. I would have thought that would be a requirement for government agencies. Because People can use, people treat that as like an official [00:22:00] government pronouncement.
That's wild.
I mean, generally speaking, I, I, I get that it's a social media account and you probably shouldn't treat it like it's official, but I can't help but imagine that an awful lot of people see one of these government accounts and they treat everything that comes out of it like the gospel.
David: Well, apparently they did, because aft It's like
Matthew: Jerome's mouth. apparently
David: lot of people do, because after an announcement happened on Tuesday, the The price of Bitcoin spiked up to 48,
Matthew: Oh, did it? That's actually what I was going to look up. I was going to Bitcoin price.
David: Well, I have the numbers here, but it didn't spike up, it didn't close the day at 48,
Matthew: It just spiked up
David: for a short period of time on Tuesday, 46, 000 to 48, 000.
Matthew: to 48, 000.
David: But we'll get into those numbers here
Matthew: in a couple of minutes.
David: To quote the article, security researchers and telecommunication firms have urged the company for years to adopt best practices for, regarding the prevention of SIM swapping attacks, but those warnings have fallen on deaf ears.
And I'm not sure what [00:23:00] Twitter could do about SIM swapping. Other than not offering SMS as a second factor.
Matthew: and there's a lot of people that just use that. There's a lot of people that still don't have, you know, Google Authenticate or anything on their phone.
Like, SMS is what they have.
David: Right, but what's Twitter going to do about it?
Matthew: I mean, they could stop doing it, but then you just don't have two factor at all for those people. Right. What I'm saying is
David: these
Matthew: people are urging them
David: to simply take away
Matthew: that option. Ah, yeah.
David: You know, because I'm not sure what Twitter themselves could
Matthew: do about
David: preventing SIM swapping.
Matthew: That's fair. Other
David: than, like you said, removing SMS, which then
Matthew: reduces the
David: total number
Matthew: of people that are using
David: multi factor all together
Matthew: or users. Yeah, I don't have enough money. Nobody's SIM swapping me. Just look at, I mean, look at your threat model. If nobody's going to sim swap you, use SMS. If you, like, if somebody broke into my Twitter account, they would get
David: probably
Matthew: negative followers
David: to what they've
Matthew: got now.
David: they broke into our Twitter
Matthew: broke into our Twitter account. Woo! But
David: But Allison Nixon, the chief research officer at cyber [00:24:00] security firm Unit 221B.
Matthew: terrible name. Is that an apartment that they, like, started the company at? Well, my
David: guess is that she probably was working for the Israeli military and that was probably her unit number. And she said, hey, let's just turn
Matthew: her name quite a bit.
I've seen her name
David: But she said there have been security contacts at Telco's trying to reach out to Twitter, but everyone we and the community know that worked at, on their security team was responsive, has quit.
not
Matthew: a surprise.
David: But it seems to me like, hey, I knew Bob at Twitter, so I called Bob whenever there was a problem, and Bob quit, so now I don't call, talk to anybody at Twitter. I'm
Matthew: And I'm stuck! I can't do anything!
David: I can't, yeah,
Matthew: Bob left.
David: Yeah, so they were just relying on the hero model,
Matthew: Yeah.
David: At Twitter. But so I tried to do some research because there was all this talk about when Elon took over that a whole bunch of people quit and he cut the workforce in half and everything. So I went back and I tried to find references to security folks leaving [00:25:00] Twitter. And what I found was, on the 9th of November, 2022 the headcount of their trust and safety team was cut by 50 percent and, and, and 15 percent of the entire
I'm sorry
Matthew: 15 percent of
David: 50 percent of everyone was cut and 15 percent of that was the trust and safety team.
Matthew: got off lightly.
David: Yeah, well, and then on January of 2024, just a couple of days ago 30 percent was cut from the trust and safety team. 80 percent of those were safety engineers and 50 percent were moderators. But the wrinkle there is, is that the trust and safety trust and safety team that is the team that's responsible for moderating content on the social media, not actual security.
I couldn't find anything
Matthew: about security
David: themselves being
Matthew: cut, or the security itself
David: being cut at Twitter.
Matthew: Yeah, I did look, I did check. There are openings though, so.
David: Well, I mean, there are always openings. Everybody. You know, there's probably not a comp There are very few companies that don't have over a thousand [00:26:00] people that have no security openings though, I
Matthew: bet. The salary was surprisingly low for San Francisco. It was 140, 000 to 240, 000. Which is a lot of money if you're in Kentucky. But for San Francisco, that's not enough to get a house.
I
David: know, but I bet you can get a three person tent on
Matthew: heat street on the
David: of Haight and Ashbury,
Matthew: Mary
David: I
Matthew: god. I saw that. Those 10,000, I saw those tents cost like $60,000 each or something to put up. There's an recently read an article about this,
David: up.
I recently read
Matthew: configuration page.
David: article about this. It's
like
Matthew: or security key. So like a YubiKey, you have to plug into your computer? Alright. Yep.
David: So the SEC could have used a better MFA, but didn't.
Matthew: Well they needed, they had the phone. They just passed around the phone.
They figured it was something you have.
David: It just doesn't make any sense.
Matthew: Cause that would seem to indicate that there's
David: [00:27:00] individual.
Or they kept the phone in a drawer.
Matthew: It's a government. It wouldn't surprise me.
David: surprise me. Yeah. Just ridiculous.
Matthew: I have something. I have something for the Twitter account. Where's the phone?
Oh, it's at Johnny's desk.
David: Oh, it's dead. Battery's dead. It's can't
Matthew: tweet anything
David: Because the thing is with the authentication app, as long as you have that QR code, you can put that QR code on numerous phones to get the, to get the token.
So going back to what we were talking about as far as the price of Bitcoin jumping, so, on Tuesday, which is when this happened,
Matthew: Bitcoin
David: went from 26, 500 to 48, 000. But at the end of the day on Tuesday, it was only at 46, 100. And ended Wednesday at 46, 500 and closed on Thursday at 46, 255. And the irony of this whole thing
Matthew: is
David: that the Jupyter account was hacked on Tuesday, announced that the ETFs were good to go
Matthew: and
David: then [00:28:00] they said, oh well that's a hack, that's not true, and then the next day, on the Wednesday, They said, oh yeah, well, ETFs are a go.
Matthew: That makes me wonder, so there's two things, I have two follow ups on this. Number one, that makes me wonder if the person who hacked this out actually knew? Or was it just coin, weirdly coincidental?
What is it? That they happened to Well this is
David: something that's been talked
Matthew: about. Expected for a while, yeah. Expected
David: for a while. So it may have been coincidental.
Because one of the rumors that people thought this may have been was actually the account wasn't hacked, they just accidentally announced too early.
Matthew: Hmm, that makes sense.
David: But of course that announcement by the chairman seems to negate that.
so the
Matthew: other way you could tell that is I would go look at the trading at 48, 000 and see if you can find somebody that like sold off all the, it didn't spike that much. It only went up 1,
David: Yeah. I mean, you're not going to make a lot on doing that,
Matthew: But,
David: but it's kind of funny that after they announced the ETFs, the price went down. So
Matthew: it, it, it's
David: it would spike, but then when the real [00:29:00] announcement came out, it would go down. Maybe they thought it was a second fake announcement or something.
I don't know.
The, the reason that, that one of the reasons that we're mentioning this is that, you know, if you have the option of choosing a SMS,
David: method for two factor authentication or a time based token using an authenticator
Matthew: authenticator app.
David: the authentication app.
Don't use the SMS. And of course, the other irony here is that the SEC fucking up again, which I always think is funny.
I wonder how many fees they're going to have to pay. Or fines they're going to have to pay for their failure. None. None, yeah.
Matthew: All right. So title three and title four here. We're just gonna scoot through real fast. Title three is how a I hallucinations are making bug hunting harder.
So, bug hunters have started using large language models to not only translate or proofread their reports, but also to find bugs. Based on a blog post by Daniel Sternberg of The Curl Project, they received 415 vulnerability reports. I assume this was last year.
David: I don't recall the
Matthew: time frame from the blog [00:30:00] post.
And 66 percent of them were not security issues or normal bugs. And he has a couple of specific examples of this. So, bug bounty programs obviously bring in people that are looking for a quick buck. Hopefully without putting in necessary work. They are doing, you know, Nessus scans and looking for quick and easy options to just try and get some money.
So, they threw some curl code in a large language model and then passed it on as a security vulnerability report. So the problem here is that many times the bug bounties that come from Nessus or some other low effort method are very easy to spot and they can just kick them out very easily. But the reports generated by AI, as we have talked about before, they look legitimate.
They look coherent. They waste a lot more time. So for example he wrote about a report generated by Google Bard that claimed that code changes for a specific vulnerability had been leaked on the internet. It was an AI hallucination based on an announcement the previous day that the new vulnerability had been discovered, given a [00:31:00] CVE number, and was going to be disclosed.
So Bard took the disclosure and turned it into the code is exposed on the internet.
David: Wow.
Matthew: So one of the ways that they screen for this is they'll request more detail when to the submitter of the bug, and the author, Daniel Stenberg. Mentioned that his replies are coming back from Bard AI as well because it'll say things like triage er Please respond to the triage er that this this and this or something like that.
It was
David: So this very high level hand
Matthew: waving. Yeah. Yeah. Well and the way that it referred to him as the triage er instead of like by name, right Daniel You're like they just copied it like so low effort So I think that
David: This
Matthew: actually kind of important for a different reason. Like, we're talking about how AI is going to be able to write its own code in a couple years.
It can already get most of the way there now, but I think we're still gonna have to have people who are trained in writing code. Because the AI, even if the AI takes on most of the slack, you still have to know [00:32:00] enough to troubleshoot why it didn't work when the AI gets you 90 percent of the way there, but screwed up like one logical operation or something.
So.
David: Yeah,
but this is like the equivalent of frivolous lawsuits for bug hunters.
Matthew: but cheaper, cheaper
David: Because it's wasting a whole bunch of time that could be spent doing real work instead of tracking down something that's completely worthless.
Matthew: And we're going to see a lot more of this type of stuff, not just for bug bounties. Basically, people are just trying AI on everything. And a lot of things where it's not going to be successful, but it's going to look really successful. You know? I know a lot of people like that.
David: people like that. Yeah but I mean, what what people should take away from this is, is, you know, don't roll your own bug bonding program.
So you need to have like a, a hacker one or somebody who screens the hackers for your program. So not just anybody can submit. Bug bounty reports to your program in order to filter this kind of stuff out.[00:33:00]
Matthew: Yeah. The guy, the guy who wrote the blog post mentioned that the person who submitted the AI, one of the AI reports, the one he specifically commented on was on hacker one and they had a decent reputation. So it might not have been, it might not have been like a peer script kitty. It might've been someone who was just experimenting.
But, you know, what I would say
David: to that though is if I were HackerOne, he'd be gone.
That'd be
I mean, that's the last time he's going to
Matthew: work with us. So, interestingly enough, they did comment that on HackerOne the response is if you close out the bounty as not relevant, they get like a ding on their reputation and that's it.
So, although he did say that he contacted HackerOne about it, and they did something else, he didn't talk about what it should have been much harsher. Yeah. In this situation. Yeah. Alright, and for our last one 23andMe blames negligent breach victims, says it's their own fault we included this because we talked about the 23andMe breach a couple months ago.
Yep. Super short update, we've talked about this before. 23andMe has settled on their strategy. Blame the victims. Easiest way to go. Easiest way to [00:34:00] go. And factually, I feel like this is kind of correct, because, I mean, how often do you, if you're an IR at all, how often do you have idiot users that do this to themselves?
Well, I, the thing is,
David: that you can blame them if you
Matthew: want,
David: but
Matthew: you're the one It's not helpful.
David: you're the, well you're also the one that has some of the knowledge on how
Matthew: they could better secure their account, and you're not also guiding them in that direction by,
David: forcing two factor authentication.
Matthew: authentication.
David: Having certain password requirements,
Matthew: Yeah, and then there's something else here too with the 23andMe. Because Oh,
David: To quote the article Unauthorized actors managed to access a certain number of counts and instances where users recycled their own login credentials that is users use the same usernames, passwords on 23 and me.com, as on other websites that have been subject to prior security breaches and users negligently recycled and failed to update their passwords [00:35:00] following these past security in instances which were unrelated to,
Matthew: to 23andMe
David: me end quote.
Matthew: And the the meat of this is the fact that even though only 14, 000 accounts were breached, which is 0. 1 percent of the users accounts, if that was all that had happened, then, I don't know, maybe they would be totally fine.
David: Well, it would be less bad.
Matthew: It would be less but, the problem is, is that the way that 23andMe set things up, and we talked about this before, is If you are related to somebody, you can see, and though they have set their profiles such that they can connect, you can now see all their information for people that are related to you.
David: Right. So, 5. 5 million had profiles set up for what they call DNA relatives. And then they also had something that, that they called DNA relatives profiles, which is another 1. 4 million. on average, each user had access to the genetic information of about 500 other people.[00:36:00]
Matthew: So does that mean, so you have to make your profile available.
So that's not how many people you're related to. That's how many people you're related to that set their profile to effectively public. Right. Hmm. Interesting.
David: And one of the things that I'm unclear about because I've never used this service is what is default and what is not default.
Matthew: Yeah, I don't know.
I thought about doing 23andMe but I keep hearing that they, like, give up DNA evidence to the police and the government, and maybe I shouldn't be volunteering more information than I already have given to various companies.
David: They sell
Matthew: it to pharmaceutical companies and drug designers and
David: Yeah, and since you are the Zodiac Killer, that is liable to come out.
Matthew: no. But I would prefer to make all the money on my DNA. If there's money to be made on my DNA, I want to make it. It kills me, too, because you have to pay for that. You have to pay them for the genetics kit, and then they go and sell your information and give your information away.
David: Yeah.
Matthew: Yeah,
David: my DNA is not worth that much.
Matthew: But, no matter what it's worth, you should still get paid for [00:37:00] it. It's
David: like, here's a Tootsie Roll. I'll give you this for your DNA. It's like I think you're over. Big, big spender, but we'll do it.
But because of this whole thing, there are four class action lawsuits in, in California already.
Matthew: In California. Is it weird that it's in California?
I don't know.
David: in California?
Matthew: Yeah, the class action lawsuits. Why were they submitted in California and not other places?
David: You have to submit based on certain jurisdictions, jurisdictional regulations. So it could be that that's where they're headquartered or something like that. I don't know. Or it could be the article only mentioned the floor in California and there are a dozen more scheduled throughout the country. I don't know. but you know, what we were talking about before is the 23andMe could have forced MFA. Because they have options for MFA for authentication apps or email.
On this, which would have made the credential stuffing much more challenging.
Matthew: Alright, well, that looks like that's all the articles we have for today.
Thank you for joining us. [00:38:00] Follow us at SerengetiSec on Twitter, and subscribe on your favorite Podcast App.
