Hacked - Never Let a Good Crisis Go to Waste
Episode Date: March 31, 2020Jordan Bloemen & Scott Francis Winder discuss coverfire, smokescreens, and how to never let a good crisis go to waste. If you like the show and want to make sure we can keep making it, please subscrib...e and if you can visit https://www.patreon.com/hackedpodcast and show us some love. Also - don't forget to check out our loving sponsors: Go to https://NordVPN.com/hackedpodcast or use code HACKEDPODCAST to get 70% off a 3 year plan plus 1 additional month free. Check out http://blinkist.com/hacked for a 7-day FREE trial! Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
It's somewhere in Stockholm, and the streets are lined with burning cars.
It's the early hours of a foggy morning back in 2010, and a small army of police and firefighters
are rushing to the scene of a spontaneous mass arson.
Someone, for some reason, has set a bunch of cars on fire.
No one knows who, no one knows why, only that at around 2 o'clock in the morning, the streets of
Stockholm suddenly lit up with the crackle of, well, it's Sweden, so presumably a bunch of burning
Volvos. Emergency response arrives on site, they put the fires out, and Stockholm is calm again.
During that window of time, just six or so minutes, when the attention of Stockholm's police force
was drawn to those burning cars, this whole other story was unfolding. A heist that those cars
served as a distraction for.
Miles away at the Swedish royal residence,
windows shattered at the Chinese pavilions,
and a crew of bandits raided a permanent collection of art and antiquities.
They fled to a nearby lake and vanished by speedboat.
They set the cars on fire,
so no one would notice as they robbed the royal palace blind.
This isn't really about that heist,
which you should look up.
It's like one of dozens around the world,
whole big thing, very interesting. It's about the cars, the distraction. Because if you want to
understand how so much cybercrime, so many hacks go sight unseen, you got to ask,
where's the burning Volvo? Like on Christmas Eve, 2012, when the business controller of a
Sacramento construction company went to log into their corporate bank account to find nearly a
million bucks missing from their bank, which was conveniently being distracted by,
a DDoS attack launched by the same hackers. Burning Volvo.
Or similar smokescreens employed in hacks against Wells Fargo Bank of America and City Bank,
burning volvos.
Well, right now, as the whole wide world is paying attention to one very specific crisis,
and a bunch of people are figuring out how to take advantage of this once in a lifetime,
burning Volvo.
This is smoke screens, cover fire, and how to never let a good crisis go to waste.
On this episode, a fact.
CBS News got exclusive access to this global operation center, where the Secret Service is tracking the spike in coronavirus cybercrime.
Anytime there's a heightened element of fear, such as with the coronavirus, criminals are going to,
exploit that.
Threat actors are going to take advantage
of this situation
and milk it for all that it's worth.
With more Americans working
from home in the weeks ahead,
the Secret Service says
the risk will only increase
because a personal computer
does not have the same security features
as a company network.
So I couldn't help but notice
the last two news updates we did
had thematic sense
to what's going on in the world now.
We talked about the Iranian malware
and then in the suburb
episode, we talked about the shutting down of Shadow Server.
And I can't help but feel like they're both related to the same thing, what's going on in the world right now with this pandemic.
You know, Cisco being a major corporation with major corporate expenses, probably looking at ways to save money and focus more on core operations, you know, completely hypothetically.
And that could have been what led to the removing of the funding to keep Shadow Server going.
Meanwhile, we've got the Iranian government taking advantage of this crisis to jack malware onto the phones of all of their nation citizens.
And this just leads me to the thing I wanted to talk about today, which is like, you know, never letting a good crisis go to waste.
Essentially talking about, you know, when you're looking to hack something, timing is as important as technique.
And when we talk about cover fire, you know, in the DDoS episodes discussing, you know, how, you know,
how you can use them to distract IT infrastructures and IT service departments away from paying attention to the security infrastructure.
That's essentially what's going on today.
Like you can imagine with billions of white-collar employees moving to a work-from-home basis,
security infrastructures that have been fine-tuned and tweaked for years are literally being dismantled to allow for this new world to operate.
So I kind of just want to talk about like
If you were going to be hacking something
Now is probably a pretty good time for it
You said cover fire
Can you talk to me a little bit about what that means?
Yeah, cover fire is just a way to keep people in their holes
Or to keep people distracted
So they don't notice what you're actually doing
You know in the classic war movie
Where the guys got to make a break across the field
To get to the hole
everybody starts spraying bullets, you know, wasting ammunition,
but essentially it's done to keep the opposition in their trenches
so that they don't notice this person sprinting across to get to the, you know, target.
So the idea there is that the whole world right now is cover fire.
The whole world is just spraying ammunition,
and it's a really, really good time for someone to try and book it across the front lines.
100%.
Okay, so in a practical sense, let's talk about that.
you talked about this idea that we have
got a whole bunch of companies all around the world
and they've got a very probably well-built-out IT infrastructure
definitely and they've probably spent years fine-tuning
adding in separate pieces of verification,
identification network security controls,
all of the stuff to prevent and detect intrusion,
locking down the fort.
They've probably been building walls
and tightening them and supporting them for years.
And then all of a sudden they have to send, you know, 27,000 staff home
and they have to just knock the walls down.
Talk to me about what kind of vulnerabilities having a bunch,
a huge chunk of our workforce suddenly working from them,
introduces into otherwise relatively secure IT infrastructure.
Well, I think the first thing that I would look to exploit
is the social side of it.
you know, I don't walk down to the IT department anymore to ask for things.
I have to call down.
There's no real way to verify who I am via a phone call.
So if I have a staff directory for everyone that works at a company,
probably a pretty good chance that I could call enough IT people
and convince one of them that I'm somebody I'm not and get things that I shouldn't.
Does that make sense?
Yeah, it does make sense.
The basic idea is that when the ways that people work together, those sort of like soft security measures get completely reworked, it creates this sort of negative space for someone can social engineer their way through and get into a system they're not supposed to be in.
Totally.
And like the, you know, from a geographic perspective, when you have local networks, you know, they're pretty locked down.
You know, when you're access to a network requires geographical, you know, cadet.
So I have to be here to plug into the port on my desk or on the Wi-Fi that's thrown around to my office.
You know, when you have to start letting everybody go to working from home, you start talking about massive VPN infrastructures, you start talking about stuff like this.
And if these companies didn't have it, you know, they're probably struggling and rushing.
And truthfully, probably making some mistakes and leaving vulnerabilities and not because they're bad at their jobs, but just because of the velocity they have to be operating at.
As someone who knows generously nothing about IT and setting up a network for a business,
explain to me in like broad, broad 10,000 feet strokes what the difference between my home
Wi-Fi network and the way I would be working from home.
How is that different from a big company with its own network?
From my perspective, I've got a laptop and I'm connecting to a Wi-Fi network
or I'm sitting at my desktop.
It doesn't really seem like it's that different.
Talk to me about what's happening behind the scenes that makes that more secure than working from home.
So the big thing is, is, you know, when you're a trusted member of a network,
so if you're in the office and you've brought your work-designated laptop and it's plugged into a work-designated Ethernet port and you have access,
all of your credentials have been rolled up by major, you know, access control servers, you know,
you can see the F drive and the U-Drive and the, et cetera, et cetera.
You can boot up your ERP for the company and connect to the database servers.
All of a sudden, you go home and you don't have any of that infrastructure.
That infrastructure all exists inside of that building.
So they need to open up holes in the firewall to let you start to connect to that infrastructure.
That's probably where the first big problem begins.
There are very good solutions for it.
Corporate VPNs are a thing for a reason, and that would be one of the main solutions.
and I'm sure there's companies that didn't have huge VPN infrastructure do now
and are probably rolling them out actively.
But I think that basically answers your question.
Yeah.
I'm a business and I've just sent everybody home
and we're all working from on Slack or whatever.
What kind of things should they be thinking about
for making sure that they're secure during all this?
I think the, like I trust that VPNs
and I trust that a lot of these major, you know,
hardware software service providers, the Microsofts, the Cisco's,
will provide solutions that allow these companies to continue to operate in a secure fashion.
I think, you know, for me, the number one thing that I'd be looking at targeting would be the social confusion that spins out of this.
You know, has the IT help desk person ever met Darcy from Houston?
No, probably not.
Can I be Darcy from Houston?
Yes, I probably can.
and that would be probably the first place I would start.
So having some form of, you know, we talked about two-factor authentication when it came to, you know, sell companies and sim swapping.
You know, what is the corporate human version of that?
It can't be go to the office anymore.
So what is it now?
There's another side of this that feels like it creates just as potent a vacuum for social engineers to be able to sneak through.
It's people who haven't been sent to work from home.
It's just people who've been laid off.
It's like a huge unemployment right now,
and you've got a bunch of people sitting at home.
What kind of an opportunity is that create for, you know, cyber criminals, basically,
knowing that, okay, we've got a bunch of people who are out of work,
who are sitting at home on the Internet.
I think of like money mules.
I think of all these different things that just rely on someone needing money,
needing some legitimate way to make bank.
What kind of opportunities does that create for the social engineer-oriented hacker?
Well, that's a great question.
but actually I think you brought up something that I kind of wanted to hit a bit more in regulation
what we were just talking about, which is when you have bulk layoffs, which is what we're seeing,
you know, there's rumors that like 9.5% of the U.S. population was laid off last week.
And this will be airing the week after.
So two weeks ago, 10% of the U.S. population was theoretically laid off.
That's an overwhelming amount of people for an IT department.
Like if you imagine disabling access to emails, disabling proximity, key access.
You know, when we talk about crimes of opportunity, as this episode is kind of themed at,
that's a massive crime of opportunity because there's a good chance that a lot of people laid off still have access to their corporate networks.
Okay, so before getting to the question that I did ask, which I do want to get to,
what should the top priority for IT professionals be right now?
They show up to work on Monday.
What is the thing that they should really be?
thinking about? Well, I think, you know, being somebody who spent a decent amount of time in
IT, your top priority is whatever the company's top priority is. And that might not be security right now,
which is why the crime of opportunity is a thing, because the company is being put into this
insane amount of pressure to continue to operate, to continue to deliver, to continue to sustain,
given what's going on.
So really your focus is on facilitating operations, not security.
So I think if I'm an IT person getting to work on Monday,
assuming I'm still going to work,
figuring out and making sure that as many of the people that I work with
can continue to work is probably my top priority.
And security will be the B, C, D, E, or F on that list.
Hence the cover fire.
You know, there's such chaos going.
that the cover fires for free right now.
Sure.
So if you were slowly kind of infiltrating a network
or doing something or setting up some hack,
now's a great time to do it.
I want to talk a little bit about how,
and this is true in terms of the current situation
we find ourselves in,
but I think it's true all of the time
is that when people are desperate for information
about something,
that seems like a really good opportunity to,
that's a situation you can take advantage of, right?
Yeah, well, I think, you know,
that goes back to,
survival. You know, we're all kind of loosely transitioning into this odd form of survival.
We know, be that some people are doing different things. Some are fighting over toilet paper. Others are,
you know, not spending any money and hoarding cash. Some are, you know, dumping more money into the
stock market because they think it's low and they think that they can make back their losses. You know,
everybody's kind of dealing with this sense of survival that's been kind of imposed on us by what's
going on. So you present someone with an opportunity that will make it easier for them to navigate
this situation. You might be able to kind of get past their defenses a little bit. Totally. Like,
you know, we're talking about vulnerable populations growing exponentially. You know, people who
were unemployed or out of work, you know, weeks ago was the lowest number in American history
is now going to be probably the highest in American history within the matter of weeks.
So when you have an exponential explosion like that, not only in viruses, but in virus cases,
but in just vulnerabilities, like we're going to have, there's going to be a social cost to that.
And, you know, whether that's exploitation or whether it's, you know, just bad things going on in society,
people are just mostly going to be going into survival mode.
Some people who, you know, sociopaths, will see opportunity in this and we'll be taking
advantage of it for, you know, their own reasons, hacks, etc.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security officers.
operations from the ground up for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform, a fully agentic system powered by the swarm of
experts. Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic
agents that handle whole entire workflows. Humans stay in the loop and on the loop to validate
the critical decisions and keep everything trustworthy, and all of this is just off running on
their secure operations graph. A constantly updating intelligence engine fueled by more than nine
trillion telemetry events every week and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI insecurity operations actually looks like, go to arcticwolf.com slash hacked.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their head.
Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving into the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened, but why
these attacks succeeded, and most importantly, what businesses can do to fortify their defenses
for it's too late.
You're going to walk away with real insights into how threat actors are evolving, how defenders
are responding, and what strategies can help you stay ahead of the next big breach.
It's not fearmongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
Okay. So I want to talk about cover fire outside the context of COVID.
Let's just imagine we live in the four times.
Sorry, I guess pre-November.
Sure. Talk to me about the different types of cover fire.
So like we've been talking about a massive news story, kind of like people are hungry for information, opportunity, economic of people who need money,
and then this weird outlier situation of IT networks having to flex to have people work from home.
Yeah.
What other kinds of cover fire exists?
Giant distractions, giant things that, you know,
people just can't look away from and create opportunities for cyber criminals.
Well, I think in the classic, like, tech hacker sense,
cover fire will be something that just pulls away security resources
or causes Infosec teams to have to let their guard down.
You know, very similarly to like what we're talking about now,
where it's like, hey, the world's different, people aren't coming to the office.
We have to let our guards down to facilitate this new operations.
Things are happening.
So any semblance of that becomes cover fire.
So, you know, the classic, hey, our corporate networks being hit with this massive DDoS attack
leads to the technical staff having to deal with, address, mitigate that problem.
And they might not notice you squeak, you know, four and a half gigs of data at the back door.
So that becomes the essence of cover.
Coverfire. So in today's sense, you know, lots of things can be cover fire. I'd say you have to be pretty smart about it because if your cover fire leads to new security policies, new lockdowns, if the cover fire stimulates a change in the IT and Infosec infrastructure that will actually hurt your actual hack, that's a bad thing. So you have to really kind of think about and plan what you want to do for cover fire.
Sort of like, it's kind of like close-up magic.
You need to make them look over here while you do something over here.
Yeah, that's literally, that is the hacker version of cover fire.
Pay attention to this problem over here.
Focus on this while you don't notice what's going on over here.
Right.
It's the DDoS attack and the opening story from that Sacramento Bank.
You know, that's the perfect example of this, you know,
dealing with a human-level crisis because really D-DOSSing the website, not the end of the world.
but it would have thrown the organizational into a crisis, which would have caused people to make, you know, decisions that probably would have been in a higher level of scrutiny if that crisis weren't to be going on.
So, you know, they threw a bunch of EFT requests in, you know, move money here, here and here.
Upon scrutiny, calling the client probably would have been a part of that scrutiny to verify that they were, you know, real transactions.
None of that was done because they were dealing with this other crisis.
It's perfect cover fire, you know.
Create chaos and then in that chaos leverage people's reduced ability to make sound decisions.
As a hypothetical, say, I want to hack a software company.
What kind of take me through that?
What kind of cover fire would I be looking at to do something like that?
Sure.
So let's think, you know, a couple years ago, I think I mentioned this in one of the first episodes
of HACT, the first season, quote unquote, season,
is somebody had hacked into a software company
and gotten actually control and was embedded in their development infrastructure,
so they were actually playing and tweaking with the source code
that would then become the production releases of the software.
So, like, let's think of a great beneficial use case for that.
Let's assume we had a backdoor into password managers,
tie in another episode of Old Hacked.
So say we want to hack into one of the password manufacturer's software code and add our own backdoor.
So what would distract everybody inside of the password manager's company, not just the IT staff, but the development staff too, to not be as secure?
Say we had spent months researching the password manager that we were looking to get access to.
Say we tested their network.
We had found some vulnerabilities and we kind of knew when we could punch the real.
Maybe we release a hack for their password manager or a security bug to the market,
and we showcase it, DefCon, throw a paper up, put it in the dark web, wherever, causes the entire company to go into hysteria
because they don't want, you know, they make something that's sold on the grounds of security.
And if we can come out and say, hey, it's not that secure, the development teams are going to be hot patching it, like,
crazy. The PR, corporate, and overhead people will be dealing with the social crisis of it,
marketing aspect of it, and the tech people will probably just be looking to, you know,
support in any way possible. So that's good cover fire. A social crisis that's kind of
spinning the corporation into survival mode, quote unquote, as well as sending the developers,
you know, into a frenzy to patch and fix this problem. They're probably not going to be looking at
their commits, their Git commits or like, you know, whatever they're using for version and
control, they're not going to be paying as close attention to it. So that would be a perfect
time to slide in and kind of set yourself up in their development world.
So the idea is like you find, you're trying to hack someone, you find the vulnerability that
you like. You think this is the way into their system that they're never going to notice.
What you then have to do is as you're developing that vulnerability, go find another vulnerability
over here, work on that in earnest, and then show yourself in some way, shape, or form,
either by leaking it to other cyber criminals, either by publishing something,
so that everyone snaps their focus over to that, like a spotlight,
and you've got this other road in.
Yeah.
Well, imagine the YouTube video you referenced in one of the news updates, the Wi-Fi, the crack thing.
Imagine what happens to that chipmaker the second they see a video.
like that.
You know, that becomes an internal crisis,
which becomes beautiful cover fire
if you wanted to do anything else.
So I would be looking
to do something like that.
And the beauty is too,
is like I remember the last time this happened,
I think it was a firewall manufacturer
where somebody had gotten in
and had access to their development stack.
They didn't find them for years.
So you imagine, you know,
imagine a firewall or a password manager
or some other piece
of secure software
that people lean on for their security
having a serious hole in it for years
and having the ability to tweak and play with it
as you wanted.
So amongst IT professionals,
infosecci-type folk,
when something goes catastrophically wrong,
when everyone is suddenly,
okay, there's a giant problem we have to address,
is there like a school of thought
that that's the moment you should be like...
Stepping back and thinking about it?
And being really, really critical.
Because on one hand, you do have to address that issue.
If there's cover fire, you have to hide behind something.
I think the question you're asking is less about Infosec procedure and protocol
and more just about human nature.
When you throw people into a crisis, you know, people react totally differently.
I remember being in university and in one of my org B classes or something, they made us
a test to see how well we dealt with adversity.
And it was part of it.
You know, apparently a lot of strong leaders deal with adversity very well.
So there was this very calculated test that we took to see when put into stressful situations,
how you reacted.
And, you know, I think that that's probably more of just the human model.
You're hacking the human model.
Coverfire is hacking the human model.
How do you keep up your defenses when someone's just blown a hole through them?
Well, I think that the hole that they blew in our defenses is,
by just reducing our ability to make good decisions.
And so it's, you know, once you've impaired that in somebody,
you know, you don't really need to do much else.
So, you know, I think that that's a big part of the cover-fire thing
is just impairing people against making their best decisions.
So, you know, I think we're seeing that today,
and I think we'll see that going forward,
and I think, you know, that's just a part of reality.
is humans are
as I've said before often
one of the most vulnerable parts of a chain
there's only so much securing you can do
that a human can't undo very quickly
you know