Anton Dahbura & Joseph Carrigan

Killware and the Coming Digital Pandemic

Air Date: November 22, 2021

Johns Hopkins University Information Security Institute executive director Anton Dahbura and senior security engineer Joseph Carrigan discuss hacking, ransomware, and vulnerabilities to critical infrastructure.

READ FULL TRANSCRIPT

HEFFNER: I’m Alexander Heffner, your host on The Open Mind. My guests today are Anton Dahbura, the executive director of the Johns Hopkins University Information Security Institute, and an associate research scientist in computer science, and Joseph Carrigan, a senior security engineer at the Johns Hopkins University Information Security Institute. Anton and Joseph, welcome.

 

CARRIGAN: Glad to be here.

 

DAHBURA: Thank you. It’s good to be here.

 

HEFFNER: Joseph, let me ask you to begin with, as an engineer, you’ve become aware of some of these high-profile incidents of outages in the internet ecosystem, but some of them have not been prominently covered. For example, in recent weeks, Bank of America, on the first of the month, which is payday for a lot of people, first day of the month, rent, other services that are going to be paid by companies and individuals. There was a prolonged outage, and we’re not talking about 30 minutes. We’re talking about hours.

 

CARRIGAN: If I were a Bank of America engineer, I’d be very interested in preventing that from happening. I haven’t seen a lot of explanation as to what caused it though. I’d like a little bit more transparency from large organizations like this. You know, when we had the Facebook outage, which I think you’re kind of alluding to, that garnered much more media attention than the Bank of America outage. And Bank of America, or Facebook said though, this is an internal problem that we have. And I haven’t seen any explanation like that from Bank of America. Perhaps they’ve made it. I just haven’t seen it. But it is something that is from time to time it’s going to happen. And we are incredibly reliant upon the very nature of the internet and we’ve become that way over the past 20, 30 years. So I think that it’s incumbent upon all of us as users to understand that these things are going to happen and we should have contingency plans for it.

 

HEFFNER: Anton. Let me ask you to follow up. We have certain definitions that we should get out there in the open for those who are not familiar with cyber hygiene or security. Ransomware and now killware, which is in effect a kind of ransomware or hijacking of systems that can literally cause injury or death to human beings, are what folks, institutions, and individuals seem most concerned about right now. And I was wondering if you could give us an overview of how you see the current state of ransomware and killware right now?

 

DAHBURA: Sure. Thank you. So ransomware, as more and more people are becoming aware, is a, an event in which bad guys take over a system. And by the way, it doesn’t have to be a huge enterprise. It can be my laptop, for instance, and they can lock up my files and demand payment in order to either release those files or in some cases they threaten to put them out in the open, which a lot of people wouldn’t want to happen. And in most cases, they demand payment in some kind of cryptocurrency. Killware is a version of ransomware in which there is physical harm that can be, that can lead to loss of life. So it’s a special class of ransomware, although it is kind of a gray area because of critical infrastructure such as power plants and even the food chain. If any part of the food chain is affected that could cause harm to people. So it really is, it’s an extremely serious problem. I really can’t underscore how serious the ransomware problem is right now in the United States and really around the world.

 

HEFFNER: We’ve become aware of new technologies that allow hackers to penetrate systems, even without you doing what was kind of normally understood as the way you could let a foreign insurgent in your system by clicking on a link. That can happen now, independent of any kind of clicks, right?

 

DAHBURA: It can, although last time I saw clicking on the link is still the root cause of over 80 percent, perhaps as high as 90 percent of ransomware attacks. So it is happening. Word isn’t getting out, or it’s just not it’s not sinking in and all it takes is for one person, one person who’s distracted, multitasking, or just can’t resist the temptation of clicking on the link that says they won a prize that day. But there are all kinds of ways of getting into networks through software that inherently has vulnerabilities. And, or through other means like, you know, in some cases, somebody putting a thumb drive into one of their systems inside the network and that’s all it takes. It has malware on it. And as soon as the, as soon as the thumb drive is connected it unleashes its malware. So there are many, many root causes of this. Companies that that create software operating system applications, they’re constantly trying to get ahead of this. But it’s a game of cat and mouse, and there are so many, and also companies and people, we all need to keep our software updated. Whenever we get a notice that it’s time to upgrade software, it’s the most important thing that we can do.

 

CARRIGAN: I would add that you’re the human factor in this equation is not, not to be underestimated. One of the biggest things that these guys go after is they go after people’s login credentials, and they do that with a phishing attack that says something like your password’s about to expire, please come in and reset it. It could be something as simple as that, or it could be something that is directly targeted at the person that says, hey, John, can you take a look at this attachment that I have on Microsoft cloud? And then it takes you to a fake landing page that says, give me your Microsoft 365 login credentials, and then that person can actually access your institution as you. And they don’t just have access to your email. They have access to things like teams that we normally view as a secure environment for us to talk back and forth on, and people can spread through the network that way,

 

DAHBURA: And it doesn’t eat that it doesn’t have to be via computer or email all the time. It can be via telephone. Someone who claims they’re a technician is working on something and they need information from you. It can be via text, chat.

 

HEFFNER: Now let’s return to Facebook and BOA. Is your assessment Joseph that in all likelihood those events of the last month were not the result of any attempted hijacking, not necessarily ransomware or killware, although, you know, in effect, there could be a kind of killware that is unconcerned with payment. They just want to paralyze the entire global economy, right? So from your vantage point, based on what Facebook has explained, and we, you said earlier, BOA has offered no explanation. In fact, they were, they were quite late and not even forthcoming with their clients and users. Whereas Facebook and often other online social platforms are rather quick to acknowledge any kind of shutdown. So in your estimation Joe, is your sense that in either of these instances, there were any foreign actors attempting to take over or to paralyze those outside institutions?

 

CARRIGAN: At this point, I’m not prepared to say that. I think that Facebook was pretty, you know, their, their explanation made sense that it was a border gateway protocol problem and that can shut things down. But to your point about the difference in communication styles, if you think of, you know, we think of people as being digitally native or having, you know, like maybe like Tony and I, we didn’t grow up in a world where we’re steeped in computers and computers all around us. I mean, we both grew up in technical fields, so we’re better off than our peers our age, but think about that in terms of companies as well, you know, Facebook is a digitally native company, so they’re prepared to go out and address this. And Bank of America has been around for a much longer time.

 

One of the things that I frequently tell people who are running companies is you really, really, really need to have a game plan for when something happens that involves being transparent and communicative, telling people what’s going on. Even if you don’t know what’s going on, you can just say that. We don’t know what’s going on. We’re checking it out right now. We know that some of our customers can’t access our online system. But, and this would be a key piece of information because it didn’t look like any user information was compromised during this event. That’s something you tell people, right? That’s something that puts people at ease.

 

HEFFNER: Right. And, you know, folks who are regular viewers of The Open Mind know that I like to invoke Mr. Robot. In fact, I emailed you two gentlemen, and I mentioned that program because it really speculates about the scenario of not an hour’s long outage of Bank of America, but Wells Fargo, Chase, BOA, all go down and folks can access, you know, at least in the United States, what is your necessity, your calling card for life and your livelihood, your bank account, or bank accounts. And we’ve been talking from the very first program I hosted in this series about the potential for a digital 9/11 or Pearl Harbor in which there is not again, an hour’s long or even days long outage, but there is manipulation of the system that wipes out people’s savings, potentially, or at a minimum you know, causes great havoc for a period of time when people can’t access their bank information or other personal information.

 

And, it was striking to me, the fact, Joseph, that the Facebook outage caused more of an uproar because folks couldn’t see, you know, their friend’s child’s bris, whatever. And, yet you have a major banking outage, and that got very little attention, CNBC, I don’t think ever reported on it. Credit, a lot of local news affiliates I know on in Atlanta, one of the major networks in Atlanta covered it. IN But my basic question to you is if we are vulnerable to a banking outage of several hours, if not a whole day, it was virtually a day and change for some people, why are we not vulnerable to a days or weeks long outage or further manipulation of these systems?

 

CARRIGAN: I don’t know that we aren’t vulnerable to that. That would become a, that’s a much more of a tactical question, right? I mean, it’s just a strategic problem, but once you start at the action to becomes a tactical, a tactical problem and it depends on how that goes and what happens next, you know, do I take down, or if I wanted to attack somebody, do I just break all of their systems by essentially encrypting all of their operating systems with something like ransomware that like, as Tony alluded to earlier, doesn’t have any demand for ransom. I just encrypt everything and now you have to spend days recovering. And if I can keep what they call persistent access, then every time you recover a system, I can reinfect it. But there, you know, there are policy or procedures for going about this and best practices and incident response.

 

And one of the first things you do in an incident response is assess where you are and try to get the attacker out of the system. If you can get the attack out of the system, then you can begin to make progress. But if you can’t keep the background of the system, then you have a real problem. The banking problem in terms of you know, a cyber–Pearl Harbor, or a cyber 9/11, actually, that doesn’t concern me as much as something Tony alluded to earlier. And that’s an attack on the food supply chain. That would be something that would be absolutely devastating if that went on for three days and we started losing the food supplies that were in the grocery stores. That would be, I think that would wind up with real civil problems, civil unrest problems. That’s the attack that keeps me awake at night, not so much the attack on the on the banking system, but more of the attack on the more basic human needs, lower, far lower on Maslow’s Hierarchy of Needs.

 

DAHBURA: I think that there are multiple competing forces at work here, if you will. One is that, of course, the holy grail for any bad guy is to take out the major, the things we all talk about, that even show up in science fiction, you know, the major banks or the national power grid and so forth. So that’s, that’s one desire. On the other hand, these major entities are investing billions of dollars in defense. So they’re not really soft targets anymore. On the other hand, they rely on third-party software. There is software that they use in common. So it is possible that someone could find a so-called zero-day vulnerability that could have a major impact somewhere. I would say that that’s becoming less and less likely. Then there’s the other, the other factor, which is that the bad guys are really, really cleaning up in the, the soft targets. You know, there are some elite hacker forces that are doing sort of mission impossible style attacks that are really gee wow. But the vast majority of it is just finding open doors and walking right in. And there are many, many of them. So when a door closes, the bad guys, just move on to the next open door. And so, unfortunately there are open doors in critical areas. And so the race is to close these doors faster than the bad guys can get to them.

 

HEFFNER: Well, and I do wonder how much profiling of these hackers is going on in terms of understanding motivations. The situation that I described in Mr. Robot is a rebelling against societal excess, specifically income inequality. And that’s why I’m particularly interested in this banking idea. Because to me, the fictional scenario presented in that television series is quite emblematic of our trajectory right now. You know, we saw that Schwab reported within the last week that the, you know, 1 percent of this country has more income, more liquid than you know, the entire, the entire middle class. I mean, it’s mind boggling, but then you, then you see something like a Mr. Robot and ways in which there may be motivations outside of simply, you know, paralysis of systems or, you know, personal animus, but actually wanting to use that kind of nefarious criminal activity as a means to make society more equitable. And to me, maybe five years ago when Mr. Robot came on the air, that was a far-fetched notion. But it isn’t so far-fetched today. And I just wonder Anton, what your reaction is to that?

 

DAHBURA: Well, I actually, I think it’s the opposite. I think it’s a little more far-fetched today than it was five years ago because of the investments that companies have made in protecting their, their digital infrastructure. There really has been a wake-up call. There has been mobilization and information sharing. There has been workforce training and all kinds of things that cost a lot of money to defend against these attacks. Is it possible, anything’s possible, but again, I think, and there are ideological groups out there that want to, you know, want to send messages that, that are consistent with their with their ideology. There are also nation states, and that’s what they, you know, people do for a living day in, and day out just see what they can get into. And then there are people who are doing this for for-profit and the, the profit and the nation states are the two predominant factors in my opinion at this point.

 

CARRIGAN: Verizon releases the data breach, data breach investigation report annually. And I think this year, they said something like 90 percent of these attacks were all financial, were all financially motivated, 90 percent of all the attacks investigated financially motivated. That is a vast difference from 20 years ago when I would be giving talks or asking people, people would be asking me, why do they, why do these guys do this? Oh, maybe for the notoriety, maybe because they have some kind of ideological reason. And then all the way down at the bottom was maybe because of money. But now that’s, that’s the lion’s share. The vast majority of this is financially motivated. These people are going after people with, for any amount of money that they can go after. And they’re using all kinds of different scams and techniques. Usually it’s fear. They’re trying to scare people into giving them money. But it’s it can also be exploiting somebody else’s greed or just their kindness. But that’s usually what they’re going after is money.

 

DAHBURA: One example, just a couple of weeks ago, I know a company that the ransom that they had to pay was half of their net revenue for the year. That’s a huge amount of money. And it’s, it’s really, when we look at ransomware, we really have to start looking at it. We have to start analyzing it like any other industry. We have to look at its means of growth. We have to look at disruptor factors and so forth because it is because it really is, it’s become an industry. It’s pervasive and scalability is easy. And so it’s really something that it’s going to have an impact on the economy of the United States. Ultimately, if we can’t reverse the course.

 

CARRIGAN: Right. And Tony makes an excellent point. These things are run very much like businesses. In fact, we’ve even seen, there are some ransomware organizations that will say you know, they’re essentially franchising their operation to people who have access to another company. They say, just give us the access. We’ll go in, we’ll encrypt all the files, and you’ll get like 70 percent of the take, because that’s the hard part of the work is going out and finding a vulnerable company or penetrating a company. And once they do that, they, the rest of it is trivial. These, these are done with kits and they, they will even go so far as to analyze the financial records of the company they’re about to encrypt the data of, to find out what ransom they should charge and what they, so they maximize the likelihood that these people pay the pay the ransom.

HEFFNER: Do we know of the victims how many are paying the ransom and how many are refusing to do so? How many are able to extricate themselves from the crisis and the paralysis of their network without having to pay the ransom?

DAHBURA: The last information I have, it’s about 50, 50, Joe I don’t know what you’ve been seeing.

CARRIGAN: Yeah. I actually don’t have hard numbers on that. But I know a lot of companies pay it like with the colonial pipeline was, all their systems were encrypted. They paid the ransom.

 

HEFFNER: Well, let me ask you this, Joe, do they engage law enforcement in attempting to recoup the ransom or attempting to basically engage the third party, the criminal, and give them the impression that they are getting something, but ultimately they’re not getting something, because it’s appearing that they’re getting something, but they’re not going to, I mean, there’s, is there some tactics being, are there some tactics like that being deployed?

 

CARRIGAN: There are tactics like that. There’s actually a business, a niche business that is of ransomware negotiators that you can hire once your, once your business has been hit with ransomware, you can make a call to these guys, and they’ll come in and they’ll handle the negotiation with the guys who are charging you a ransom. And a lot of times they’re successful in reducing the amount that gets paid. And sometimes they’re not successful. Sometimes the guys, the ransom gang just says, look, this is what it costs. Stop, stop talking to us. We have all the time in the world. You’re the one with the business that can’t operate right now. So either restore from backups or give us the money to decrypt your file.

 

HEFFNER: But isn’t the government position in a way to provide the appearance of that transfer, or basically give folks the assets they need and then recoup them, or is there not really a way to do that?

 

CARRIGAN: There was one case recently, and I can’t remember what the case was, but they recovered about 75 percent of the ransom that was paid.

 

DAHBURA: It was colonial. It was Colonial pipeline.

 

CARRIGA: Colonial. Okay. So they got that back. And that was actually the franchise, the franchisee that they got the money back from. It wasn’t the, it wasn’t the ransomware gang. The ransomware gang had better operational security, if you will, to keep the money that they had. But the ransomware franchisor, you know, the guy that, you know, think of the guy that runs a McDonald’s in your neighborhood, this guy, he didn’t have the best operational security. So they were able to call that money back.

 

HEFFNER: Tony, we’re almost that we just have seconds left, but let me just ask you quickly what, what is the policy that we should be pursuing, you know, when it comes to any kind of government intervention here to help individuals in the private sector and help themselves because the government has been, and continues to be susceptible to the same kind of ransomware or killware attacks, but to your, you’re less concerned about the hijacking of the banking system. It seems like the potential for the electrical grid, or food supply, as we’ve seen recently, you know, pipelines distributing natural gas or natural gas or oil that

 

DAHBURA: The water supply.

 

HEFFNER: Water supply, oil supply, food supply, that those are the areas where especially malevolent, foreign outside of the U.S., non-U.S. cyber terrorists would be poised to attack us. So what should we be doing? What can the government be doing, or, if not the government you know, really our cyber infrastructure?

 

DAHBURA: Well, I think that the federal government is on the right path in a lot of ways. Information sharing is a first point. And also going after the sources, working with, they have to work with other governments to go after these bad guys, the vast majority are not working within our borders. Awareness and doing everything possible to help companies improve their defenses. So really attacking the problem from all sides. Only the federal government has the resources, the ability to do that, but it really is, it’s on the, on the verge of being a national crisis, if it isn’t already.

 

HEFFNER: Yes or no question, I believe based on your responses, the answer is no, but the, you don’t believe that there are cyber terrorists who are capable of doing what was done in Mr. Robot, which is basically wiping out every record of individuals’ bank accounts, so that even if they were destroying the online infrastructure there would be some record preserved of people’s bank account. You do not believe that any cyber terrorists are capable of basically destroying our financial system?

 

DAHBURA: That’s correct. I do not, but they’re working on it,

 

HEFFNER: Joe?

 

CARRIGAN: I would agree that I think that there’s enough data that these organizations have kept back up, kept backed up, but that doesn’t mean they can’t disrupt things and make things miserable for short periods of time. And that may be enough to carry their message forward.

 

HEFFNER: Joe and Tony, thank you so much for insight today.

 

CARRIGAN: Thank you. My pleasure.

 

DAHBURA: My pleasure.

 

CARRIGAN: My pleasure.

 

HEFFNER: Please visit The Open Mind website at Thirteen.org/OpenMind to view this program online or to access over 1,500 other interviews. And do check us out on Twitter and Facebook @OpenMindTV for updates on future programming.