To many of us who work in security, the thrill and prestige of working on anything related to hacks is compelling. Whether we work with the offensive-side or defensive-side, cybersecurity is indeed a lively field to be in.
Human element will be this year’s RSAC 2020 Asia Pacific in July. Indeed, we are very dynamic and unpredictable. We are usually the antagonists against any security resiliency. A few days ago, the citizen lab released its Dark Basin report on a hack-for-hire operation. The report and its influence to uncover such operation is captivating, and it seems justice is served to those who fell victim to different hacking campaigns.
Beyond the story on hack-for-hire, the report made a few interesting (though not surprising) points worth to take note of. First, the private-state collaboration seems to live on. State-sponsored attacks are not new, and there have been discussions on the topic throughout the years. Regardless of your nationality, we are all affected when we share the same cyberspace. In Dark Basin, the operation yields to an Indian entity, BellTroX, is responsible for the hack-for-hire operation behind the scene. Different BellTroX employees are cited to receive endorsement from private investigators with career links to federal agencies in US and Canada. While such links could be rationalized with BellTroX assisting investigators in some white-hat way, it also raises concern maybe the operations are not as black-and-white as it should be. The conspiracy behind a state-sponsored attack often raises concern when there is almost never any transparency over the matter.
Secondly, Dark Basin manages to put together a sensible timeline through different e-mail leaks. Information leak is not new, and with all honesty, e-mail communication remains critical in business communications. Nonetheless, we have yet to master e-mail encryption properly to secure them. I assume these hacked e-mails are valuable to the owner and the leak was accidental. Then, the question is why were the messages not encrypted with keys? As a self-reflection, I think the best excuse is e-mail encryption/decryption can be cumbersome. Many e-mails mentioned in the report were dialog-based. It can be a major headache if I have to decrypt the e-mail and encrypt the e-mail every time on my mobile device for a quick reply. Furthermore, if the public (or worse, private) key is compromised, the e-mail chain could be lost. Usable security remains a challenge with room for improvements.
Lastly, BellTroX has the biggest success in phishing. Recent years hacks seldom rely on brute-force attack alone. Rather, some kind of phishing would gather ‘insider’ information to assist with the attack. Phishing is one the most difficult threat to defend against in my opinion. Indeed, there are cheap phishing attacks where you can spot the spelling mistakes to know it is fake. When the attackers are more sophisticated, we could easily fall victim to an attack. There is no bullet-proof solution to phishing, other than we have to stay alert and apply our security patches often.
At the end of the day, I believe Dark Basin 2.0 will emerge. Security is a never-ending cat-and-mouse game. There is no winner or loser, only an assurance of our cyberspace remain just as insecure.