CyberWire Daily - Cybersecurity during the World Cup. [Research Saturday]
Episode Date: December 10, 2022AJ Nash from ZeroFox sits down with Dave to discuss Cybersecurity threats including social engineering attacks planned surrounding the Qatar 2022 World Cup. The research shares some of the key threats... we might see while the World Cup is happening this year. Researchers say "During the World Cup, there will likely be threat actors aiming to acquire personal information or monetary value through phishing and scams." In the research we can find how the venue host is preparing for these claims of attacks. The research can be found here: Qatar 2022 World Cup Event Assessment Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
You know, anytime there's a major event, like you said, you know, the World Cup now,
it could be, you know, the Olympics. First of all, there's a lot of preparation that goes into it.
That's A.J. Nash. He's vice president and distinguished fellow for intelligence at ZeroFox.
The research we're discussing today is titled Qatar 2022 World Cup Event Assessment.
Getting set up for this.
Everybody understands the threat is going to increase
to these events, both physical security and cybersecurity.
So there's a lot of buildup to that,
and organizations tend to set up these large SOCs,
these security operations centers,
bringing in lots of different government agencies,
vendors from around the world to really set up.
So a lot of preparation has gone into this
prior to the event ever kicking off.
I personally have been involved in some of the run-up
for a couple of Olympics.
I've seen how that works out.
And in doing that, there's a lot of prep work done
to understand who are the likely threats,
what are the likely tactics, techniques, and procedures
as related to the technology.
So there's a whole acquisition process
that goes into that as well.
What technology should we acquire?
Anything from your comms, whether it's your cell phone systems, your chat systems,
what communication structures you're going to have, but also ticketing, point of sale,
all the things you would expect that are these big events, including accommodations, hotel reservation reservation systems and transportation systems.
They have a new metro system, a new train system.
So all of that had to be prepared for.
That's why these events take years to prepare for.
It's not just the construction projects to get that set up.
And then as you start getting closer to the event, those socks get run up and you start running your collections to understand what are we expecting to see. There's also a whole social media monitoring campaign that goes with that and dark web research to try to stay ahead of adversaries and understand what they might be interested in. Generally, large events like this,
you're looking at a couple different types of adversaries. There's certainly going to be the
financial. There always is. Whenever there's money, there's criminals. There's certainly
going to be a financial aspect to it. Somebody trying to set up scams for tickets for, like I
said, accommodations, all of these things.
But with these larger events like the World Cup, like the Olympics, there's a political aspect to these.
You have a lot of nations from around the world getting together.
They don't all agree on things, and therefore people don't all agree.
So there's almost always going to be some level of political concerns.
You have to look for activists.
You have to look for terrorism, social activism, and
how that might play a role,
protests and things like that. And then that's
all overlaid on the laws
of the nation, the host nation.
So the laws, for instance, in Canada
or the U.S. or Paris
would be very different than the laws in Qatar
and how those type of activities
are going to be treated.
So all of that, I'm quite confident, has gone on for,
since this was awarded 10 years ago,
but certainly for the last couple of years
in building up that knowledge base
and that level of comfort of what we should expect to see
and what preparations are in place to account for it.
Can we go through some of the key elements
that you and your colleagues report on here in the publication?
You know, some of the real, I don't know, proximate things that they're looking out for here.
Yeah, I think we've seen some of these things reported in the media, right?
So you're looking for human rights activists.
There's been a lot of discussion there in Qatar and their policies towards the LGBTQ community.
There was a bit of an uproar, actually, unrelated to that,
but Qatar at the last minute changed the policy on alcoholic beverages
and where those were going to be located.
And so Budweiser had some issues with that because they were a sponsor.
So you have to look for what you're going to see there in terms of responses.
Are people going to have adverse responses physically, but also in cyber?
Anytime somebody's upset, it can trigger an event like that.
I saw that some of the crowds were, I believe it was the Brits who were chanting,
we want beer, because there was no beer in the stadium.
Exactly. Yeah, it was a last minute change.
El Cato made a few changes at the end there that FIFA took some grief for
and had to make some public statements about that people have been upset about. And really, this entire event,
there's been some controversy from the beginning when Cato was first awarded World Cup. And so
that sort of plagued them along the way and some whispers of how they were able to acquire the
World Cup. So any sort of changes like that at the last minute aren't favorable to them.
But some of the things we covered in the paper specifically, certainly ticketing scams, again, are a big challenge.
They are in any kind of event like this.
And we have some examples of efforts to exploit folks with that.
Some phishing campaigns that tied lures.
The World Cup is, again, a major event, like any major event, is a great lure when you get into phishing campaigns.
Whether it's, again, a sporting event, whether it's COVID, whether it's an election,
anytime there's something that captures the attention of the world,
you can really bet on somebody turning that into a phishing campaign.
So we've certainly seen a jump in some phishing campaigns tied to COVID.
Now we've seen them tied to FIFA Cutler 2022,
Now we've seen them tied to FIFA Cutler 2022.
Fake campaigns to get free tickets and things that have been tied to cryptocurrency.
Anything to try to steal people's money, of course, has been available.
Social engineering always comes into play.
Again, using things like fake lotteries.
Counterfeit ticket sales have been tied to that, too.
So people are targeting folks through social know, through social engineering campaigns.
And again, the lure is this event.
You know, these tickets are expensive.
They're hard to come by.
This is the world's largest sporting event.
I'm pretty confident it's between the Olympics, but I think this is the biggest one.
So, you know, it's a massively popular sport. So, again, that opportunity, as people want something, whatever that want want is as that want grows their caution
shrinks you know so for instance i know we've talked before about black friday events and
scams with that as you really want that hot thing you talk yourself into believing things you know
you shouldn't same thing will happen with something like a world cup so so scams are on the rise as a
result of that uh and we covered some of that. Mobile app security, another piece that came up here,
you know, it's a requirement
for everybody 18 and over
going to the Qatar World Cup
to download a couple of different apps.
So that opens the door
for concerns about monitoring.
You know, are those apps
going to be hacked?
Are they being monitored?
You know, what's the security
that ties to that?
And how does that tie back
to local authorities,
if not, you know, criminals and those who might want to do harm, right?
So we did touch a bit on that as well.
I'm curious, you know, to me this really points out the importance of the collaboration between, say, the cyber teams and the physical security teams.
say, the cyber teams and the physical security teams.
How, when you have a big event like this,
whether it's this or the Olympics or anything,
a Super Bowl,
that flow of information really has to be there.
Yeah, 100%. We talk regularly about this,
the connection, like you said,
between the cyber and the physical world.
These are so interrelated.
And events like this really amplify that. It's true in daily life. I talk a lot with
organizations about the need to have these fusion centers to understand that things that we see in
cyberspace can be indicators of a physical event. We see planning, in fact. And things that are
happening physically could be tied to a cyber event. A physical attack can be used as a distraction
while a cyber event goes on that's being unnoticed.
So that's always been true,
but never more so than when you get into
these large-scale events again,
where you really have to do that.
This is why these organizations set up these giant socks
and they spend a lot of time and energy and money
and really get the best resources in the world together
to do these events,
because you have a very small period of time
to be as close to perfect as possible.
And adversaries who want to do harm, again, the financial is there.
But let's say you're politically motivated and you want to do harm.
This is the world's biggest stage for that.
And folks are expected to protect against that.
So the pressure is very high.
And you want to bring all of your resources together so that you're able to work together.
If something's going on physically, you want to see what's going on in social media.
What's being talked about, what's known,
what's suspected, what's being
claimed. If something's happening in social media
and there's discussions about, frustrations
about things, are people
frustrated and venting
or are they planning to do something
about it? Is there an attack that's coming with this?
And if bad things do happen, also
being able to go back and look in the places
you might expect to find criminals talking about it. So you can look for attribution, or you can look for if data
was stolen, where it might have gone, or if money was stolen, where it might have been transferred
to, or crypto, or something like that. So in daily life, for large enterprises, certainly,
I believe these should be fused together. Fusion cells are incredibly important.
That cyber and physical work hand-in-hand on these things. When you're stove piped, you're really not doing yourself a bit of good, frankly.
But in these events, it's the only time we've consistently seen people seem to pull that
together through multiple World Cups and World Series and Super Bowls and Olympics and that
kind of thing.
We do see that comes together more than ever.
And now, a message from our sponsor, Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise
by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context,
simplifying security management with
AI-powered automation, and detecting threats using AI to analyze over 500 billion daily
transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler
Zero Trust and AI. Learn more at zscaler.com security.
You know, you mentioned that you've had some involvement with Olympics games in the past.
And I'm curious if you have any insights on kind of how it's organized. I mean, does the host country take the lead
when it comes to cybersecurity?
And then other nations come in and say,
yeah, that's good enough for us,
or we need something additional to that?
How does that international collaboration generally work?
It's a good question.
I can speak to the ones I've seen personally, so obviously I can't speak to all
of them. But in the ones I've seen personally
and the run-up to that, so the host nation
along with the International
Olympic Committee, in this case,
worked together on this. So I have
some experience from Brazil
Olympics and from Japan, from
Tokyo, and how that was done.
And it's intense. There's
good reason these Olympic events,
and I'm sure it's the same with the World Cup. I have to admit, I haven't watched the run-up
from the inside. There's a good reason these are put so far in advance. I mean, obviously,
there's a lot of infrastructure that needs to be built. But also, all of this planning takes a lot
of time. So there's a lot of interview processes with different vendors. There's a lot of work with
different government agencies. From my experience, what I saw was countries really focusing on,
we just want the best practices.
We want to do this well.
I did see a lot of great teamwork and communication.
Obviously, vendors are looking to fight for that business.
There's money in there.
But I always saw a lot of companies that were willing to work really well together.
These nations want to succeed.
They want these to be successful events.
They're worth a lot of money.
They're a lot of prestige.
But they also want to keep people safe.
And nobody wants to see, we've had terrible events, you know, years and years
ago in the Olympics.
Nobody wants to see something like that again.
There's a lot of work that goes into planning that out, but it's, they bring in incredible
experts from around the world.
And of course, you know, if you're in this field and you want to do good things, that's
where you want to be.
You know, the, the Superbowl, for instance, use that as an example, is, is the greatest
football event of the year in America. you want to be. The Super Bowl, for instance, use that as an example, is the greatest football
event of the year in America. But if you're a cybersecurity expert or a physical security expert,
that is your Super Bowl, right? I mean, there's no better opportunity to do good things on a big
stage and be successful. I mean, it's scary and it's stressful, much like I'm sure it is for the
players on the field, but it's where you want to be. So, you know, these events attract great talent who want to be a part of it. They want a chance to contribute to success. In my
experience, what I saw was amazing talent getting together, putting together incredible security
practices and, you know, SOCs and backup SOCs and physical and cyber working together and working
with the local law enforcement. The only complications I saw that come into it, which is
just the nature of
international world, is again, countries have different laws. So then you have to also apply
that. So for instance, the ability to monitor domestic communications when somebody like the
US or Canada were to host a large event might be different than it is if somebody in Qatar or
UAE or Russia or any number of countries, right? I'm not trying to pick out
countries specifically. Laws are just different, you know, locally. So also applying that to what
you're doing and saying, hey, here's the things we're able to do or the things we're not able to
do. How do we account for that? Or how do you build the right relationships with local law
enforcement to make things legal? You do want to stay within law, both domestic and international.
So working with the local agencies, the federal agencies,
for whatever the host nation is, to make sure that you're doing that. And of course, all those federal
agencies have vested interest in successful events as well. So it's remarkable.
I've got to be honest, and I only had a small piece of those events.
I'm not responsible for anything that I would claim. I didn't contribute my opinion.
Just a small piece of seeing how these things were being put together and having some involvement
in the planning.
It's remarkable.
I don't envy the committees that have the work to do, but what I saw was diligent people
who take the time and effort to do it right.
It's why there's years on this.
And it's every time there's a large event like this that goes off and we don't have
a major news story, it's a credit to the people behind the scenes that are making those things happen.
It's hard work.
And these are long events.
World Cup goes on for a long time.
Super Bowl at least is just one day.
World Series is a week, week and a half, whatever it might be.
The World Cup, the Olympics, these are long events.
Lots of people working really hard, constantly monitoring to try to keep everybody safe.
lots of people working really hard, constantly monitoring to try to keep everybody safe.
And I suppose there's some security awareness training that goes into everyone, or that goes toward everyone who goes there, from obviously the athletes themselves, the coaches, but
I'm thinking even, you know, the folks who are there running the TV cameras and vendors and all
that sort of stuff. When you're a stranger in a strange land,
you need to, to your point about the local laws and customs and all that kind of stuff,
even when it comes to cyber,
there's probably nobody who doesn't need a refresher.
Oh, 100%. I agree.
The reason we do a paper like this, for instance,
the World Cup event assessment, is for that.
This is for anybody, an executive who might be going to the World Cup, for instance, or the cameraman, anybody in between.
It's an opportunity to understand what are the threats we should be looking for, what are the local customs, rules, laws, etc.
But there's also other things.
Our team and others do the same, I'm sure.
We do travel assessments and briefings of that kind of thing for anybody
going anywhere, frankly.
Um, because you're right.
There are things you would think most of us have a bias at least towards what we, what
we know, right?
So you might think this is what I've always done.
And then you go to a country and realize the thing you do all the time is illegal.
Uh, you know, I talk about this a lot with like encryption or VPNs on our phones.
For instance, there's countries in the world where that's illegal. And if you don't know that, and you
show up off the plane and your phone's encrypted, and then you may have a problem. You may not,
they may enforce it, they may not, but some countries that can be a real issue.
So understanding that, you know, Qatar specifically, you know, we've seen,
you know, there's, I mentioned the LGBTQ controversy, you know, the country has different
customs and rules that go along with that. and folks have been protesting in some cases.
And I've seen reports of people surprised by the law enforcement reaction to the actions they've taken.
And I'm not here to decide what's right or wrong, but we all need to understand whatever the domestic laws are.
You can disagree with them.
We all can.
But if you're in a country and you break the law of that country, you've still got a problem. You know,
the reality is, you know, you can't just say, well, I'm an American and it's legal in, you know,
where I'm from. It doesn't matter. It's not legal there. So, you know, I think people need to really
have these opportunities, you know, products like this one or travel assessments or some other ones, you know, to be informed. And so most of the major, you know, the sponsor
organizations, the teams themselves, et cetera, as you said, yes, I think most have travel
assessments and have briefings and are given those opportunities to understand what, you know,
the do's and don'ts are wherever you're going. I'm not sure the general population necessarily
has enough of that, though.
And I think it would be good if more did.
So again, part of the reason we put products like this out
certainly is to help people who might be going to those events
to have an understanding of what you should be looking for.
It's a challenge.
A lot of people don't travel internationally much, if at all.
For many people going to Qatar, this is probably their first international trip.
And if you're coming from a country that's not very similar,
so not probably a local neighbor,
chances are very good that it's a culture shock.
And there's a lot of things you go into that country
not knowing or understanding.
And the results can be catastrophic for somebody personally.
And folks who are always looking to take advantage of that,
the confusion that comes from being away from home and being in a strange place where the
customs aren't what you're used to. A hundred percent. Yeah, absolutely. And that can be
anything as simple as, you know, what somebody charges you for a taxi cab ride, right? We've all
probably been there at some point or tipping, you know, tipping is a custom that's different
in other parts of the world.
So as simple as that, some more complex things that might relate to cybersecurity.
When I attach to the local Wi-Fi, is that safe or not?
Should I be using Wi-Fi in this country or in this region?
Can I use a VPN?
Is that legal or not?
Maybe it's not legal, but does this country actually enforce that law?
Some do and some don't, or who they choose to enforce it against. You know, I talk
a lot with the Middle East, you know, it comes into play sometimes is, listen, the definition
of pornography is remarkably different from country to country. You know, if you have a
picture of somebody who was just on a calendar that would have been considered a PG picture in
the United States, it may not be in a different culture. And if that's the kind of thing you happen to have on
your phone, that could be a problem for you. So, you know, what do you do about that? Make sure you
know what content you have available to you because your phone could be searched in certain countries,
you know, versus others. So it's those kind of details that are really challenging
for people who don't focus on this a lot or don't travel a lot. And again, most of us see the world through our own lens,
so we have our own bias.
And that's not a compelling argument when you're someplace else in the world.
Sometimes the State Department, for the U.S. citizens, it can help us out,
but sometimes it can't.
Brittany Griner, I guess, would be the best current example, famously,
that people are aware of now.
These are challenging things.
So again, reports like this I think are vital
for people to have an opportunity to read them
and go in with some knowledge.
And if you're not going to do this
for average citizens,
the State Department puts out travel assessments.
There's other agencies that do as well.
I think it's very important.
I'm thankful that we have a great team that puts these
kind of reports together for folks on
assessments for specific large events.
You know, I think, you know, the G20 is another one we've been known to do, but also the ability
to provide companies with travel assessments specific to their needs.
Hey, I've got an executive going to, you know, this country next month.
Can you tell us everything we need to know?
Those kind of things.
You know, I'm glad we have a great team that does that.
I'm sure it keeps a lot of people safe.
Yeah, it's definitely a report worth checking out. I mean, even if you're not heading to the World Cup, anybody who travels or
we work with people who do, it's just, I enjoy reading these sorts of things because it kind of
opens my mind up to a lot of what-ifs that I probably don't consider in my day-to-day.
And, you know, that kind of intellectual stimulation I think is always worthwhile.
So hats off to you and the team for coming up
with this. Yeah, thanks.
Again, my team, these guys are great.
Nothing but credit goes to them.
I'm thankful to work with
brilliant people that care about keeping the world
a safer place. So I'm excited to
talk about them all day long. These guys do
amazing work and I'm thankful
to have the chance to chat with you guys. Hopefully we can help some folks.
Our thanks to AJ Nash from ZeroFox for joining us. The research is titled Qatar
2022 World Cup Event Assessment. We'll have a link in the show notes.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karpf,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John
Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll
see you back here next week.