Yaniv Balmas - Cyber Crime and Digital Espionage
Yaniv Balmas is head of Cyber Research at Check Point Software in Tel Aviv. He’s a security researcher, software developer, and a technology enthusiast with over a decade in the industry. His approach to keeping yourself and your computer free from attack is as much philosophical as it is technical.
Cyber security may well be one of the most challenging domains in our day and age. With infinite complexity, ever changing technological landscape and thousands of new vulnerabilities found every month, protecting your network and ensuring a 100% risk free environment is nearly an impossible task..
Dubber Hi, I’m Andrew Dubber. I’m Director of MTF Labs, and this is the MTF Podcast. So given that you’re listening to a podcast right now, it’s a fairly safe bet that you have a computer or a smartphone and it’s connected to the internet, which means that it and you and perhaps everyone you’ve ever sent an email to is in some sort of twenty-first-century peril right now.
Enter the cybersecurity specialist, coding furiously against time to take down the criminal underworld, foreign agents, malware and spyware, and lock out the hackers and the bots. The hunter becomes the hunted, and so on. In fact, according to actual cybersecurity expert Yaniv Balmas, there are actually some pretty simple things you can do yourself, or stop doing, as the case may be. And there are some things you might not actually be in a position to do anything about at all, but, well, chances are, you’re not as interesting a target as you might think. Here’s hoping, at any rate.
But given that we live in a world where everything is so very digital and so very connected, from our conversations to our thermostats, our politics to our pop music, I thought I’d have a chat with Yaniv - he’s Head of Cyber Research at Check Point - to talk about what’s going on in the world of cyber and see what I can do to avoid a catastrophic network breach or some such.
Dubber Yaniv Balmas, thanks so much for joining us for the MTF Podcast. Can I ask where we find you today, where you are right now, or would that give too much away?
Yaniv Well, I’m at home, like most of the other people around the globe.
Dubber Yeah. And where is home on the globe?
Yaniv Well, I live just outside of Tel Aviv in Israel.
Dubber And you’re in cybersecurity. Is Tel Aviv a good place to be doing cybersecurity?
Yaniv Well, Israel has been called a cyber nation. I don’t know if it’s true or not, but, yes, there is a lot of cyber business going on in Tel Aviv and all around me here.
Dubber All right. So we should probably just get to the very, very basics. What is cybersecurity?
Yaniv When I started this career, there wasn’t such a term, ‘cybersecurity’, actually. It was ‘security engineering’, maybe, or ‘information security’. So cyber, for me, is just a big, new name for something. And, technically, what we’re talking about is we’re talking about mistakes. Human mistakes, usually.
So we have software running. We have hardware running. We have all of these mechanics and all of these electronics going on. They should theoretically be perfect and do exactly what they’re supposed to do and absolutely nothing else, but, unfortunately, or fortunately - it depends who you ask - that’s…
Dubber It depends on whether you make your living out of cybersecurity or not.
Yaniv Yeah, exactly. Usually, it doesn’t work that way. There are bugs. There are errors in there. Some of them are just bugs and errors. Some of them might be much worse than that, and they could lead to a lot of security issues, and I guess that’s the core of cybersecurity. That’s where it all starts.
Dubber Because what I imagine when I hear ‘cybersecurity’ is that there are lots of, for want of a better term, baddies in the world who are trying to break things, steal things, blow things up, make people’s lives miserable, and you’re the last line of defence, frantically typing like a hacker in a movie onto a screen to stop them from getting in. Is it anything like that? Is anything of that true?
Yaniv Well, I always think - about this typing like a hacker in a movie - that if someone would ever make a film on me while I’m working, it would be the most boring film in the world. It really doesn’t look that way in reality.
Are we the last line of defence? I don’t know. There’s a pretty large community. Some of it is by vendors. Some of it by individuals. Some is mixed. And there’s a lot of work being done on the defensive side of cybersecurity around the world. I don’t think it’s enough. I don’t think it will ever be enough. But I think that all of us, as a whole, we’re changing something. I think we’re protecting the world, the cyber world, just a bit.
Dubber What are we protecting it from? What are the actual risks? What could go wrong?
Yaniv So many things. But the question is not ‘what’ but, maybe, ‘who’. Who are we protecting from? There’s a lot of different individuals or groups that may be a threat to someone, and the real question is “What is their motivation?”. And I think if you’re looking at it from that perspective, you can basically divide it into two very large groups.
One of them will be the ones that are financially motivated. Those would be mostly related to what we refer to as cybercrime or scams, whatever. Their end goal is to steal your money, like any criminal anywhere in the world. It really doesn’t change. Just the playground changes. So now it’s the internet and the computers and not pickpocketing on the streets, but the concepts are pretty much the same. So that’s one group of people we should be aware of.
And sometimes these guys are pretty sophisticated and do a lot of very advanced technical work, and sometimes they are just… I don’t want to say kids, but unsophisticated. They do the very bare minimum necessary in order to steal your money. From a technical perspective, it looks like “This will never work.”, but the truth is that it works. It works a lot of times. And that’s the first group.
The second group… I think it’s, on the one hand, much, much more dangerous. These are usually not motivated financially, but they are motivated by… Usually, their goal is to steal information. So we might be talking about business espionage. We might be talking about intelligence agencies. Stuff like that. These are usually groups that are much better funded than the other ones. They have very high technical skills. They could do a lot more damage, but they are very structured, and, usually, they don’t attack everyone. They just attack who they need to attack. And if you’re not a target for them, then you have nothing to worry about, but if you are, then it’s a different story.
Dubber How does surveillance fit into this? Because I know there’s a lot of talk about personal data security and privacy and these sorts of things. Is that in the same ballpark, the same territory? Do I need to worry about my Google Home or Siri or anything like that, or is this a different domain that we’re talking about?
Yaniv Again, it depends on how you look at it. For example, I’m an intelligence agency. I want to do surveillance on one individual. Probably, I have my tools. I have my ways of doing that. And, again, you or most of the people in the world usually don’t really have anything to worry about that because they will never be a target of these kinds of organisations simply because they are, well, without disrespect to anyone, uninteresting.
Dubber That seems plausible.
Yaniv I like to be uninteresting. It’s a nice place to be. But, on the other hand, there’s surveillance on a larger scale. And that’s like when China, for example, wants to control all of the internet traffic that everyone does and see wherever anyone browses to - and I’m just giving China as an example. There are other examples not from China, of course - and that’s concerning.
Usually, their target is not an individual. It’s a very large group of people, and mainly it impacts our privacy. So now when I’m browsing to somewhere, I don’t know. Somebody might be looking at where am I browsing. Maybe he’s not specifically interested in that, but he does have this information. And this should worry basically anyone because it happens, and it happens everywhere. It happens by governments. It happens by big corporations that control most of the internet traffic, most of the search engines, and social networks and so on. You heard that on the news. I didn’t say it.
And, yes, I think privacy is something that we should all be worried about. And I think, generally speaking, we are losing our privacy. Day after day we have less and less privacy, and I don’t know if it’s something we should accept or fight against with all our power. It’s a new world, and we should know to adapt to it in that way or the other.
Dubber I’m thinking about things at the national, the nation-state level. Things like spies in the old fashioned spy story sense of people putting bugs into… Well, there was a famous case of bugs in the typewriters at the… I think it was The Pentagon, that were there for decades collecting every single keystroke of these electric typewriters.
But now, obviously, all of our information, all of our communication is all zeros and ones flying over the internet. And, presumably, it’s not just a case of being able to listen in on that. It’s now being able to manipulate that and change what that data says or to be able to actually control, at a distance, things like nuclear power plants or electricity stations or those sorts of things. Is there a nightmare scenario that all of the cyber security world is gearing up for?
Yaniv Just open Netflix and find whatever science fiction movie you like, and you’ll see this doomsday scenario.
Dubber Are you saying you’re already working on it, or…
Yaniv No, no. It’s there. These are the movies that we grew… At least me. I grew on. So this is the doomsday scenario where the machines take over, and now… I don’t know. Something like that. But, frankly, we live in the real world.
I think espionage is not something new. It’s been there since the beginning of time, I think. Just a different playground. The internet is a wonderful place, and it makes our life much easier. Makes things closer to us, easier, more accessible. We can do things remotely. It’s wonderful. But when you think about it… So when somebody who doesn’t have the right permissions or the right access gets into these places, then the damage potential is also much, much bigger just because of the nature of this. The internet. These services. It’s all there. And if somebody malicious is sitting there, then he basically controls everything.
And this can be applied to anything from - I don’t know - your personal emails to nuclear power plants around the world. There are ways to defend against this, but if history told us something, it’s that there is no one hundred percent security. If there’s a way to get in there, somebody will manage to do it.
Dubber Because I’m thinking we are in an age where we’re becoming… It’s not just us that’s becoming increasingly connected. It’s everything we own is becoming increasingly connected. So your home speakers, your lights, your air conditioning, your fridge, your toaster, whatever. They’re all connected and speaking to each other, speaking to the internet. And, presumably, if you’ve got somebody who is malicious enough and with the skills to do it, not only can they start turning off and on your lights, which is annoying, but they could presumably turn off your heating in the middle of winter, or they could… There are things that can be done at a grand scale to an entire population of a country. Years ago, there was an attack on Estonia where they essentially shut down the country and potentially caused the starvation event. So what do we as individuals, I guess is my question, what should we be thinking about, and how concerned should we be about this?
Yaniv I think, first of all, we should definitely be concerned about this. I think the better term is ‘be aware of the risks’. So these risks are out there. Usually, if we apply just very basic security procedures, regulations, and stuff like that - really not complicated stuff - we can be safe, let’s say, in a ninety-nine percent ratio. That’s the most important thing, just the awareness to these things, because - as I was saying - in the same sentence, I could say “Look, this is not… You shouldn’t go into a bunker and close everything, disconnect from the internet.”. This also doesn’t make sense to do. So I would say just keep using whatever you’re using. Technology is going forward. Go forward with it. Just be aware that everything that you connect today to the internet, everything that becomes digital, everything that becomes connected might also be a risk.
At Check Point Research, we did several research projects just on these type of things. There’s a very unique category that we like to find projects on. We call it ‘the things you wouldn’t imagine that could be hacked’. So, for example, we showed how we can take over your network by sending a fax over to your network. Just by sending a fax. We also showed how we can control your entire network just by exploiting your smart lightbulbs at home. So these are the kind of things that you were talking about. So we show it is possible. Others show the same as well.
Dubber Well, I have to say, the one that alarmed me was I watched a presentation that you did where you showed how a network could be attacked via somebody’s camera. There was a digital SLR camera that happened to be on the network, and you were able to go in through that. That’s quite astonishing because it’s not… I have exactly that camera that you were showing, and I was thinking “Right. I had not thought of that as a risky entry point.”.
Yaniv So, yeah, that’s it. The thing is that everything, as you said, is connected. Things that you wouldn’t imagine that… Why should they even be connected? And they are connected, and sometimes you’re not even aware that they are connected. So, again, this goes back to the question of awareness. You should be aware of these things, and if you don’t need them, disconnect them. And if you need them connected, make sure you’re protected, at least the bare minimum that you can do.
Dubber And what is the bare minimum?
Yaniv The bare minimum, usually, is you make sure that every connected device is updated with the latest firmware versions, security versions. Usually, unfortunately, it’s something that most people don’t do. They don’t even know how to do. And usually it’s not a big problem. There’s a big button saying ‘update’. Just push that button once in a while. That’s one thing.
Another thing is check. If your camera is connected to the internet at your house, that might be fine. But if it’s exposed out there to the internet, then you have a serious issue. It shouldn’t be, and that’s something that you can check. And if you don’t have the technical skills to check that, just find the nearest somebody who knows a bit about computers, and he can definitely set this up for you. It’s not a big issue.
Dubber I want to run some terms by you because I’ve heard them and they sound important, and I don’t know what they mean. Let’s start with ‘zero-day’. What’s that?
Yaniv That has, also, a very interesting background to it. So let’s start from the past. So when I started my - I don’t know - career or my online life, there was still no internet. We had BBSes. These bulletin board systems.
Dubber I remember.
Yaniv Yeah. And it was a great time. And what did we use this wonderful technology for? For, obviously, sharing games. Usually illegal games. That was the cracked games, hacked games. Stuff like that. That was what we did as kids. And at these times, the games, the freshest games, the newest games, the ones that just been out from the vendor, the BBSes called them ‘zero-days’. That’s where the terminology came from. ‘Zero-day’.
But as we grew and as cybersecurity came to be, ‘zero-day’ changed a bit, and now it doesn’t refer to video games or computer games, and now it refers to vulnerabilities. Security issues, basically, that can cause damage to whoever is using them. And those vulnerabilities are referred to as ‘zero-days’ when they have not been discovered yet. Nobody found them. Maybe someone found them, and he is maybe exploiting them, but the vendor or the community didn’t find out about them yet, and that’s why they are called ‘zero-days’. The minute they are detected and the minute they are protected, they are no longer zero-days. Now they become one-days, two-days, three-days, n-days, and so on. So that’s a zero-day.
Dubber Right. What’s Stuxnet?
Yaniv Stuxnet is the name of very famous malware or an attack that happened in 2011, and it is the attack that caused the Iranian nuclear facilities to stop operating for several years. So those facilities are usually top secret and very, very well guarded. And somehow, someone managed to put this piece of malicious code inside the machines that are responsible for the centrifuge and made the machines go boom, basically, and this paused the Iranian nuclear programme for several years. It’s attributed to several places. I don’t think we should go into that. But it was, I think, one of the first cases when we saw the great power of cybersecurity, of offensive cybersecurity, and the damage and what it can really do. This happened, again, in 2011, so ages ago in internet terms.
Dubber Sure. But it’s interesting that… It doesn’t seem like the sort of thing that you would want to have connected to the internet.
Yaniv So, basically, it wasn’t connected to the internet. Many military facilities and top-secret facilities all around the world, usually, they are not connected to the internet, exactly to prevent these and other kinds of attacks. It’s still really unknown what really happened there, but the common word on the street is that what happened is that somebody, or somehow, they managed to put some USB sticks maybe in the car parking lot, or maybe they just handed them over to workers from the facility. They looked legit because a lot of people are just giving you USB sticks, and then it just takes one of these guys to take this USB stick and put it into his computer inside a top-secret network in the facility, and that’s how the malicious code was able to get into the facility without them being connected to the internet.
Dubber Right. You mentioned the phrase ‘offensive cybersecurity’, and that’s an interesting concept because you think of cybersecurity as being preventing things from happening to you, but obviously it’s something that can be deployed to attack. Is this something that you’re trained for when you become a cybersecurity specialist?
Yaniv First of all, I say that it’s a zero-sum game. If you protect against something then somebody needs to attack, so it’s always offensive against defensive. And is this something that you are trained for? From my perspective, if you want to be a good defender, you need to at least know how offenders work, how they think like.
I don’t think that everybody gets this training - everybody who works at the defensive cybersecurity - for many reasons. Some are legit. Some are less legit, I think, but it’s not a common thing for everyone to know offensive security or the techniques or the methodologies used there. But I think as years go along, more and more people know about this. There are more courses about this. The material gets integrated into many cybersecurity trainings and offerings out there. So I think the knowledge is being shared, slowly but surely, out there.
Dubber Interesting. Is this the future or even the present of warfare, or is this more happening at the skirmish level? More just small attacks on individual installations or whatever. Is there a global battle going on that we may not necessarily be aware of?
Yaniv Of course. I think that we are aware of it. At least me. And if you look at things that are going on in the world - there are many cases - then, yes, definitely. Cybersecurity is the new arena inside any modern warfare, and it’s only getting bigger and it’s only getting better, I would say. And, definitely, next wars… Hopefully we won’t see them, but if there will be such, we will definitely see a lot of offensive cybersecurity taking place throughout this war and maybe even winning the war.
And I think, even, the interesting part is that for offensive cybersecurity, even the term ‘war’ gets… It’s not the war that we know. It’s not tank against tank. It’s not man with a rifle against man with a rifle. Now, it’s just someone sitting in one part of the world pushing a button against somebody sitting in another part of the world pushing a button, with real-life consequences, with real things going on. But there is no actual war. You’re not sending anyone to the front lines. So it’s a different concept. Something that we need to probably get used to.
Dubber Well, this is something that has been part of the public imagination since - I don’t know - Matthew Broderick in ‘WarGames’. This is a long time ago. Were you the kind of kid that was sitting there watching this and going “I have to do something about this. This is my life now.”?
Yaniv Definitely. That was one of the cases. And, yes, I love science fiction. I love this kind of stuff, definitely. It had a big impact on me as a kid and carved my way into cybersecurity. But if you’re asking how did I, specifically, go into cybersecurity…
Dubber That’s exactly what I’m asking.
Yaniv So I’ll give you a good answer for that. There’s one very interesting or memorable case that I remember. I was, I think, fourteen years old, maybe thirteen years old. And, as I told you, computers didn’t have internet yet, and we loved video games. And we shared them either through BBSes or people would come to my home with floppy drives, and we shoved them into the computer and do whatever we do in order to play the games.
And I remember this day when somebody came to me with these floppy drives, and I installed the game, and I started playing it, and then my computer crashed all of a sudden. And looking at what’s going on, I see that there is a computer virus that took over my computer. I still remember the name of this virus. Its name was ‘Haifa’. But, by the way, this is an Israeli city, so it didn’t make me feel very proud of being Israeli. I just felt like “Oh my god. This is the end. All of my video games. All of my life. I’m sitting eighteen hours a day playing this computer. What’s going on?”. I remember this distinct feeling of [groan]. It was such a bad feeling, and I think that was, at least for me, the moment where I decided that “I’m going to fight these things. I’m going to learn how they work. I’m going to understand how they do this. I’m not going to go through this situation ever again.”. And if you’ll ask me, I think that was the tipping point for me, and from that day, I decided that “I will do cybersecurity.”. Again, there was no such term then, but “I will do computer security when I grow up.” and…
Dubber I love that this is like a comic book #1 superhero origin story, that you’ve got the spark. You’ve got the passion and the drive. It made you so angry that you put on the cape and the mask, and now you’re protecting the world from these villains. To what end? Is this a never-ending battle? Can we ever win?
Yaniv No. I don’t think there is an end for this battle. As long as there will be new technologies, there will be new issues, there will be new bugs, there will be new vulnerabilities. It’s actually the opposite of ending. It just keeps getting bigger and bigger, worse and worse. So I think that I have job security for a long time from now, and that’s basically it.
Dubber That seems like a nice place to be. Okay, so I’m interested not just in what the individuals can do and not just what the national governments can do, but at a mid-scale, what can a business do? Let’s say you’ve got a company. You employ a few people. Everybody has laptops they take home. What sorts of things should you be thinking about from that perspective?
Yaniv Yeah, so organisations are a much… They’re a different story. It’s a much bigger playground. There’s a lot more technology that’s integrated into it. The risks are definitely different than if you’re an individual. There’s a lot more at stake here. And, usually, those systems that you have, the technology that you have, are much more complex. They are interconnected. Even you don’t even know exactly what’s there and how does it work. There’s no one singular individual who knows everything. And that calls for different types of solutions, different types of protections for organisations.
And, really, if you look at the cybersecurity field, there’s… I wouldn’t say dozens. There are hundreds or thousands of such solutions. One for every scenario. If your organisation is working cloud-based, if it’s not cloud-based, if you’re running this business, if you’re running this software, if you have users connecting remotely, if you don’t have users connecting remotely. And for each one of these scenarios, there’s usually a solution or several solutions, and it’s an industry. What can I say?
Dubber So are there any best practices that we should apply across the board? Like “If you’ve got a company, everybody should have this on their phone.”, or “They should use that on their laptop.”, or “These are the rules that you should follow.”?
Yaniv So it’s really hard to say because even there, the world is changing. So organisations used to be run very similar to each other let’s say twenty or thirty years ago. You have a data centre. You have your workers. You have maybe one office, maybe several offices. But today, the situation changes a lot because every organisation looks completely different in terms of how its IT networks are built, and that’s the reason why there is no one common solution that could be applied to everyone.
I think there are several solutions, and usually the right approach will be to use the layered solution. So build layers upon layers upon layers of security. So start by, for example, a firewall. Don’t let in what you don’t need to let in. Just like the advice I gave to the home users. If you don’t need this port open, just have it closed. So a firewall will take care of that for you. Then, if you need people to connect remotely or if you have offices remotely, then use a DPN solution that can solve this. Then, you are receiving emails let’s say every day, then these emails might deliver malicious stuff. You need some email protection there for you. And then it just keeps going on. And this is, even, the traditional organisation.
Now, organisations are shifting to the cloud. It sounds really big, but this is the world, and cloud now offers another challenge for security vendors. So it’s a different world, and the systems are not sitting on-premise now. They’re sitting somewhere in the world. And sometimes they are not even systems. They are services. How do we protect them? So, again, there’s a lot of methodologies there and a lot of companies and a lot of solutions, and it’s really quite a complex world. What can I say?
Dubber Yeah. Where do you start? I know that the good advice is use two-factor authorisation and change your passwords from time to time. Those sorts of things. Is there anything else that might be counter-intuitive that you think “Oh, actually, one good tip, you should do this.”?
Yaniv So this is a really good tip, what you said, for individuals. Not for organisations. It doesn’t really make sense. Yeah, okay, if you’re an individual, use two-factor authentication. Really good advice that will help you a lot with a lot of things. But if you’re an organisation, it doesn’t really make sense. “Well, I have five thousand employees. What do you mean? Use two-factor authentication for all of them? And for what? They are using thousands of services.”. So, again, organisations make it much more complicated. But for individuals, the advice that you gave is perfect.
Dubber Right. Well, I know you have good job security and you have this really great superhero origin story, but you’d be a pretty good criminal, I imagine. What’s stopping you from going down that path?
Yaniv I don’t know. My conscience, maybe.
Dubber Is that what we’re relying on for everybody who does what you do not to become these Lex Luthor masterminds that go and hold cities to ransom or rob banks or whatever it might be? It’s just they’re good people?
Yaniv Well, yes, basically. Why do you trust the cops? They could go and do bad stuff as well, but they choose to be the good guys. And I hope that most people choose to be the good guys. That’s all I have to say about that.
Dubber Okay. Well, we know that there are some bad people in the world. There’s some major headlines recently. ‘SolarWinds’ is a phrase that I’ve heard, and there’s been some other stuff on the news. Do you want to tell us what the big headlines are and maybe even help us understand who the baddies might be?
Yaniv So you mentioned one of the really biggest events that took place just a few months ago. It’s called SolarWinds, and, actually, it’s called SUNBURST, the attack. SolarWinds is actually the product that was involved in this attack. And I think this was really maybe a milestone in development of offensive cybersecurity. Something that I didn’t see throughout my entire career, such an attack. That was a pretty interesting case.
It was something that we refer to as a supply chain attack, and that’s where… So imagine if I want to attack some target, but this target is really tough. I can’t really attack it. It’s really well protected, and it will cost me a lot of money, and I will spend a lot of time in order to attack it. But, basically, I can do something else. I can find out who is supplying things to this target. So, for example, “Okay, I know that he is using this product. This product is called SolarWinds. It’s being developed by this company that’s based in Austin, Texas, and doing that. But this company is much less secure than my original target, so why won’t I go and attack this company, SolarWinds? And after I successfully attack it, let’s implant something inside their software. The same software that they then deliver to my original target.”. And this is referred to, again, as a supply chain attack, and that’s basically what happened. So this company, SolarWinds, got hacked, and whoever their customers were received malicious updates of the software.
The problem with this is that as a customer of SolarWinds, there’s practically no way for you to understand that this software update that you just got - like you do every week or every month - is malicious, because it looks legitimate. It’s signed by SolarWinds. It matches every criteria that you can imagine, and, still, it’s malicious. And that’s what happened.
And, unfortunately, SolarWinds is a very successful company. Not unfortunately. Fortunate for them. But they have a lot of customers and a lot of major customers. Most of them are Fortune 500 companies, and… You can imagine. And all of them are now targets of some unknown attacker, and he can now go into their networks although their networks are super, super protected. And that attack was on such a large scale. So many organisations got hit by this. And I’m not just talking about any organisations. I’m talking about the biggest names that are around, like Microsoft or Cisco or IBM or… And the list goes on. So these are really the software vendors and the hardware vendors which we rely on and use on a daily basis, and just the thought of what happens if they are now hacked and this guy or this organisation or this group can now access their source code, do whatever they want with their product, this is… You mentioned the nightmare scenario earlier. I think this got close to this nightmare scenario. The potential of damage that someone could do using this attack is mind-blowing.
And, eventually, we don’t really know what were the real consequences of this attack. We just found bits and pieces of the attack, and this is scary. This is scary to think about it. And, again, you need to go and think “What is the motivation? Why would someone do something like that?”. I don’t have a clear answer for that, but I think it’s something that we should all be aware of, that something like this happened, and I think we’re going to hear about this incident for the months and years to come. Surely we’re going to find more details. And it’s one of the major events that I’ve ever seen in my career.
Dubber Wow. And something about exchange servers. There’s been something just recently. That’s a lot of people’s email.
Yaniv Yeah. Like SolarWinds wasn’t enough, then just a few months after that came another issue that’s a really big issue. Now, we’re talking about just a few weeks ago where a security researcher from Taiwan, his name is Orange Tsai - that’s his nickname, at least - he found the vulnerability in Microsoft Exchange Server. So, basically, these are the servers which manage email, sending and receiving, for 99.9 percent of the organisations out there. And the specific vulnerability that he found may allow an attacker to take full control over the servers and basically over the network that he attacks without any authentication needed, without anything but just access to this server. And, usually, these servers should be somehow exposed to the internet because that’s what they do, and that means that basically 99.9 percent of the organisations in the world were actually vulnerable to this thing.
And the worst thing about it is not that… Sometimes you find the vulnerability. You tell the vendor about it. He fixes it, and catastrophe is avoided. Everything is okay. In this case, this vulnerability, once he found it, it turned out that it was already being used in the wild. So somebody might have found it before him, but this someone just didn’t tell Microsoft about it. He just took it and used it. So you can imagine how many days, weeks, months, years have we lived thinking that everything is okay while there is this someone in the world that can just, with a click of a button, go into almost any organisation in the world that he wants to and do whatever he wants in there being completely undetected. That’s to finish off with a scary story. So here is the scary story for you.
Dubber So when they find a vulnerability, presumably the response is to patch the vulnerability. But there isn’t a way to find out what that vulnerability has allowed, right?
Yaniv Well, you always know what the potential is, but the good guys would report the vulnerabilities to the vendors. The bad guys would find the vulnerabilities and not report them at all. And “What usage do they do with these vulnerabilities?” is unknown.
Dubber Presumably there’s a market for that. There’s a market for vulnerabilities. People saying “You find something in Microsoft Exchange Server, come to us, and we’ll give you some money for it.”.
Yaniv So, first of all, there are several markets for these kinds of things. There is the let’s say legitimate, quote-unquote, markets, and this is by legitimate companies, sometimes even nations and states. They want to have access to such vulnerabilities. Sometimes, by the way, companies will have these programs called bug bounties, saying “Okay. You find the vulnerability in my product. You did a lot of work for that. Let me pay you your bounty for that.”. And there’s actually a lot of money going on in these markets, but these are the legitimate markets.
The same markets also exist in the darker corners of the internet where you sell to much less legitimate people the vulnerabilities that you find, and you might imagine how they use these vulnerabilities later. The prices in these dark places usually are much, much higher than the legitimate ones.
Dubber Wow. So where to from here? You mentioned awareness at the beginning, rather than concern. What’s our recommended further reading here? What should we go and find out to be more aware of these sorts of things?
Yaniv Well, first of all, there’s a lot being written and said and a lot of places you can go and hear about cybersecurity, if you want to, and read about it. It’s really all over the place. I can’t recommend one place as opposed to another, but, really, the internet is full of them. Just go into Google and type ‘cybersecurity’, and you will find a lot of good reading places.
I think, for the general public, just be aware of the situation. Be aware of the new findings. Be aware of the new vulnerabilities being found, of the new cybercrime campaigns out there, of the new techniques being used. So you should be aware of that. You don’t need to understand every bit and byte of that. You don’t really need to understand how it works or who is doing that. You just need to understand that it’s out there and it’s being used, and as long as you have that in mind, I think you are already halfway to being protected. And the second half is much easier than the first one, and that’s just a matter of pushing some buttons and probably you’ll be protected from that. But if you don’t know what’s out there and if you don’t know what’s the risk then there is very small chance that you’ll be able to protect yourself against it.
Dubber Fantastic. Well, it’s reassuring to know that there are good people like you plugging the holes and making the world safer for us. So, Yaniv, thanks so much for your time. I really appreciate it.
Yaniv Sure. It was my pleasure.
Dubber That’s Yaniv Balmas who is Head of Cyber Research at Check Point and also self-confessed former BBS computer game pirate. You can find some of Yaniv’s presentations about cybersecurity on YouTube, as I did, and you can also follow him on Twitter, @ynvb. I’m Dubber, @dubber on Twitter, and MTF Labs is @mtflabs everywhere. Thanks to airtone and Be Still the Earth for the music, to Run Dreamer for the MTF audio logo that you’re going to hear shortly, and to the MTF team - Sergio, Mars, and Jen - for making it all come together. That’s it from me this week. Don’t forget to back up your hard drives, wear a mask, update your software, wash your hands, change your passwords, stay safe, and we’ll talk soon. Cheers.