Bretty Visits The Upside Down: When Warning a Company of an Exploit is Met with Friction
They say "No Good Deed Goes Unpunished". No idea who "They" are. The only thing I know is "They" talk a lot. I never put much stock in that phrase, but I got to thinking about it recently after a phone call.
I was on a conference call the other day. I had posted an article a few days ago talking about how criminals were circumventing Two-Factor Authentication in some circumstances. The article was written by an asset (Mike M) currently working for law enforcement. He is a cybercriminal doing his best to stay out of prison by assisting law enforcement. I understand he is doing some amazing stuff. He contacted me and asked if I could post an article. I agreed. The workaround “Mike M.” posted is not the least bit complicated, not the least bit sophisticated, it’s just a simple workaround employing a prepaid mobile device registered in the name of the victim. Not Rocket Science. But it is VERY illustrative of how cybercriminals often don’t have to resort to sophisticated means in order to successfully compromise a person or business.
I'm on this conference call because this one specific financial institution wants to know about the exploit. The tail end of Mike's article mentions this technique works when committing New Account Fraud. It was almost a throwaway line in the article, but often its those types of lines which hit hardest. A friend of mine reached out to this financial institution and arranged the call. The call was to discuss the exploit and make sure they knew about it. I admit, I had a bit of trepidation going in. This is an institution which has had severe difficulties with online fraud in the past, everything from New Account Fraud, Synthetic Fraud, and more. My concern was if they were even going to listen.
Turns out seven people from the institution signed up for the conference call. I feel better. Why would seven people be there if they weren’t going to listen? The call starts, introductions are made, silence ensues. I break the ice by going into where the information originated and also explaining a bit about how cybercrime works as a whole.
I began by explaining that the vast majority of cybercrime isn't sophisticated, it isn't committed by upper tier hackers. Most crooks are just fraudsters plugging numbers or looking for "workarounds". This technique was a workaround, not complicated, but effective.
I got it from a fellow currently working for law enforcement who asked me to share it, kind of his way of trying to give back. I agreed and published it. I then explained the workaround. It took twice as long to lead up to the workaround as it did to explain it.
I was met with silence. Not out of the ordinary. Often on a conference call with a lot of people no one knows who is going to speak and those uncomfortable pauses come up. Then a nice fellow started to speak. He got out two or three words before being cut off by a gruff, grumpy voice.
Mr. Nice Guy: Thank you, Brett. What…
Grumpy Grufferton: The guy who told you this is working for the FBI? [Hmm. I didn’t think it possible a person could bark and talk at the same time. That’s Grumpy Grufferton, though. Weird. One question—eleven words—and Grumpy has already told me he doesn't like me, doesn't believe me, doesn't want to hear from me. This is shaping up to be a good call.]
Bretty: That's correct. Very competent fellow, trying to work some time off his sentence.
Grumpy Grufferton: What's this guy's name? [Grumpy is Angry. Angry with a capital "A". Like Hulk Angry. Not sure what I did to piss him off. I start wondering if maybe when I was a criminal I stole his credit card or filed taxes in his name.]
Bretty: I'm sorry, I can't tell you that. He’s currently working for law enforcement.
Grumpy Grufferton: And you won’t tell me his name?
Bretty: I’m sorry, I can’t. [Hmm. I would think the exploit would be more important than the fellow sharing it. I guess not.]
Grumpy Grufferton: Why didn't the FBI tell us? It’s their job. It isn’t your job. Why are you telling us and not them?
Bretty: You'd have to ask them. This isn't from the FBI. This is from a criminal trying to work some time off that just shared it with me. It has nothing to do with an FBI investigation.
Grumpy Grufferton: Why did he tell you? [Complete disdain. It’s palpable. I start thinking about a number of more pleasant things I could be experiencing: A root canal, waterboarding, running headfirst into a brick wall….]
[No one else is saying anything. I wonder if it's because they all agree with his Grumpy or if they’re intimidated by him. I don’t intimidate easily.]
Bretty: I’m fortunate enough to know the fellow. He reached out to me, explained the exploit and asked if I would publish it. I agreed. [Ok. Maybe I said it as if I were speaking to a child. Not my best moment, I admit.]
It’s evident me and Grumpy are on the verge of an argument. Some others start talking, trying to ask questions and calm the situation. Grumpy shuts them down pretty quick, telling them he is former law enforcement and he knows how these things work. Former law enforcement? That’s odd. Every interaction I’ve had with law enforcement since I began speaking and consulting has been great. Every interaction. I honestly cannot think of a single law enforcement official who hasn’t been supportive. It blows my mind that this guy is ex-law enforcement and he’s acting like this.
Grumpy Grufferton: I want to know what jurisdiction this guy is in. That way I can find out exactly what’s going on. I want to speak directly to them.
Bretty: You mean the field office?
Grumpy Grufferton: Whatever.
Bretty: I’m not going to tell you that, either. I can’t. [True. I can’t. “Mike M" has permission to start reaching out to the good guys in the private sector. Im trying to help him do that. But, I’ve not been given any go ahead to discuss his identity, where he works, the specific work he does, or anything else. I’m not about to start.]
Grumpy Grufferton: Ha!
Bretty: Look, I’ll check to see if I can tell you those details, is that…
Grumpy Grufferton: You can’t even tell me where this guy is working?!
Bretty: Look, I’ve had enough. The only thing you need to be asking is if this exploit works in your system. The answer is--it does. The next thing you need to ask is what you can do to stop it. That's the only thing you need to be asking. It’s a good thing it isn’t hard to fix.
I go on to explain a way to stop it. Grumpy doesn't respond.
I hear a loud disconnect like noise. I think Grumpy disconnected.
With Grumpy gone we have a very productive call. The exploit is discussed, the company says they will go back and look at things. The call ends well.
I started writing this blog article as a way of letting off steam. I stepped away from it the past 4 days and came back this evening to rewrite and finish it up. I found there is a lesson to learn here.
First, it’s completely normal to wonder where an attack originates. If someone has their credit card stolen, they want to know who stole it. If a company is hit with fraud, or an exploit is found, it’s normal for the company to want to know where it originated. Sometimes that information is available. Sometimes it isn’t. Often, it doesn’t matter where the information originated, only that it is out there being used by criminals.
My thought is the first thing to worry about is whether the exploit can be used against you. After you answer that question and act on the answer, then you can take the time to discuss where the exploit came from. Discussing origins when you need to be acting only gives crooks more time to rip you off.
That doesn’t mean every piece of news which a company gets is valid. Some of it isn’t. To be fair, maybe Grumpy Grufferton was trying to figure if the information was valid. I’m not sure I believe that, though. I have a well-documented background and expertise in cybercrime. Most tend to listen to me when I talk about online crime. Add in that during the phone call—after Grumpy went silent—one of the other 6 people confirmed that the exploit worked on their system. I don't think Grumpy was trying to figure how valid the exploit was as much as he was just trying to show his authority. That's a problem.
The bigger issue, though, is meeting someone trying to tell your company of problems with disregard and disdain. That attitude often results in fewer people coming forward out of fear of being treated the same. If a company treats outsiders in this manner, how do they treat those who are employees? Does a company like that act the same toward an employee who is trying to report something? Is there some fraud manager there who meets internal reports with disdain or disregard? That type of attitude results in very few employees sharing their knowledge and insight for fear of being attacked, embarrassed, disregarded, etc. I think it was telling that during the call that no one from the company spoke up until Grumpy Grufferton was gone.
All it takes is one person with a foul attitude in a position of authority. Cybercriminals LOVE those people and situations. A fraudster knows that a company like that is an easy target. It takes longer for a company like that to find holes, exploits, and workarounds being used by criminals because a valuable source of intel fears the consequences of sharing knowledge.
I’m sure there are other companies out there with their own Grumpy Gruffertons. If so, maybe someone needs to talk with them and explain the harm they are causing. Just a thought.