Interview with Bob Diachenko

About the Speaker: Bob Diachenko is one of the founders of Security Discovery', a full scale cyber risk management company. Find him on LinkedIn or Twitter at @MayhemDayOne

Listen to the audio:

You can also find this interview on YouTube, PeerTube, or Vimeo.

Please note that this interview has been edited for clarity and brevity.

Transcript

Bob:

I've been doing this research for more than three years now. The way I search for data and identify those data sets is pretty much straightforward and there is no rocket science behind it. That's the core thing behind my work. I don't utilize any penetration techniques or sophisticated things to find the data and see what's already exposed in the public domain. I highlight this in order to show how easy it is, particularly for anyone with an Internet connection, to search for data, find it online and responsibly disclose it to the owners. But at the same time, to show how dangerous it is for any organization or business to have their assets inadvertently or any other way exposed on the public Internet, and how easy it is to find and to perhaps accidentally see this stuff.

So I don't use any active scanning, anything too automated. I utilize data streams that come from public search engines, such as Shodan , BinaryEdge, Censys , ZoomEye So those are IoT Internet of things search engines that technically work pretty much like Google, but only for devices connected to the Internet. Any sorts of databases, web cams, rotors – technically everything that you connect to the Internet – might be, or I would say, will be scanned, crawled by those engines and presented in a very user-friendly way to anyone who would uses those engines.

Varoon:

I read somewhere that you started down the path of doing this work kind of unexpectedly, working at a large company that suffered a large data breach. Tell us what happened and how that shaped your journey into doing the work that you're doing today?

Bob:

Yeah, that was a pretty painful experience. But at the same time, it immediately grabbed me into the world of security, cybersecurity and related stuff. At that time, I was working in a PR and communications department. With that in mind, I was completely unaware about any search engines that would index your exposed stuff. I was pretty much distanced from any exposures, data breaches, et cetera. But the data breach that our company experienced was really surprising, since me and my colleagues were pretty much sure that the data could not end up in the public domain. So we started to understand the reasons behind the exposure. I was really curious about what happened, but the only answer that I heard at that time was that it was a mistake – a human mistake – that brought that into the light.

So I started to learn more by myself and also with the help of other security researchers who were doing similar stuff. I started to play around with those engines, started to elaborate my own approach to finding the data. I decided to continue as an independent journey outside the company. I alerted companies and businesses so they could prevent similar things than what happened to us. And then I started to consult other companies, shared my knowledge and experience that I gathered throughout this. And that was my professional growth as an expert security consultant. Originally, I thought it wouldn't take much time. I thought it was just bad timing or some coincidence that data breaches or exposures happen.

Companies don't realize that it's so easy to fix at the very beginning or do some internal analysis before the data sets are indexed by social engines. But that didn't happen. And otherwise the whole tsunami started to grow with all those exposures and data breaches. Then ransomware attacks came in, and I found myself in pretty challenging and exciting times when companies really need to be educated about the pitfalls and dangers of simple human mistakes.

When I read about all those ransomware cases or hackers' attacks, I understood that at the very bottom of this was not a sophisticated attack in most of the cases, it's just a human mistake or some piece of information that was left publicly exposed, and then it grew up like a snowball and ended up compromising the data or stealing the data. Pretty much every case that I read about recently started with something really small, a token or a secret key or password found somewhere on GitHub or Google, Slack channel, you name it. So it just takes one piece of information that then would fill into the complete profile of an organisation or a person that is a target.

Varoon:

One of the questions Tactical Tech tries to pre-empt before is why this work matters. Obviously, I think it’s easy to convince a company that has just been exposed in some way or to convince someone whose identity has been stolen about the value of their online privacy and security. But perhaps it’s a different conversation with people who haven't, or organizations that haven't felt the sting so personally. Have you noticed any change in the course of three years you've been doing this work and the way these issues are being talked about?

Bob:

The amount of cases that I report is not changing, despite the fact that anyone now knows about all those default configurations that need to be properly secured. Even security, even vendors, software, hardware vendors, are now doing all those precautionary measures at the very beginning. So they don't set up their devices to be password-less by default. They really insist and alert a user who set up their system that you need to be careful about setting up a password, make sure that your password policy is configured properly. So a lot of those steps are introduced by many vendors.

Despite all those measures, humans always make mistakes and they only learn from their own mistakes when they happen. They don't learn from others’ mistakes. If that would happen, then we wouldn't see any wars or crisis or anything like that. So when a big company has a data breach, it only learns from that experience. It doesn't learn, for example, from other companies’ experience of a data breach, even a large one exposing the sensitive information of their users.

So to answer your question, there is no decline in the amount of cases that we report. And I assume that this won't change. Still, I don't feel like I’m fighting windmills, like some anime hero or Superman doing his job. I really believe that with every case that I report, I prevent some bigger exposure and that companies can learn from those small cases and prevent big things from happening. There are a lot of companies, Fortune 100 companies, that I manage to alert when they’ve had their secrets or configurations exposed in plain text. And you don’t hear that in the news, because it was patched in a really responsive and prompt way. So those are those cases that make me believe that we are doing something significant for the community, at least education-wise.

Varoon:

You mentioned that humans are not learning from their mistakes and wars and crises. So I think it's a good transition into your own work around discoveries or exposures that have been related to political data or data that could have been used to advance political goals. Perhaps you could talk about some of those cases that come to mind, or perhaps you feel that virtually every exposure you identify can be used to advance political aims, depending on who accesses it?

Bob:

Yeah, indeed. I used to discover a lot of, at least US voters' information, a year or two years ago. Now I don't see it that much. I don't know why. Maybe the companies responsible for that have really taken it seriously and restricted access to the data. But at the same time, there is an alarming trend of so-called marketing data or social data, social graphics data – data collected from social media platforms via scraping. So all this information combined and properly structured might complete a pretty full picture of a user. And if it’s cross-checked with other databases, voters databases, or any other marketing datasets, that would create a pretty complete profile of anyone on the web.

So nowadays I assume everything is recorded when you are online. It's recorded for good reasons, at least to ease your life. For example, to collect caches when you browse to make your work easier. But at the same time, those pieces of information are stored somewhere. And every day of our existence on this planet, of a digital existence, creates petabytes and petabytes of logs. And any data collected needs to be stored somewhere, and cloud storage is, as we know, not some something in the sky. These are physical computers connected to each other, and they are potentially exposed to any mis-configurations or human mistakes, as we all have seen. And with the amount of data being collected, the scale and the probability of those data being exposed also grows exponentially. That's perhaps the reason why I don't see any decrease in the number of cases.

Every hour, every second, there is a new universe of data born. That's still terrifying at the same time, but we also need to understand that's the reality we need to face because we entered that era when we discovered the Internet and the way we communicate. So we need to cope with that.

I don't share the vision that you have to totally isolate yourself from the digital world and not leave any digital trace behind, because that would be impossible. And that would only make you paranoid. There's no way you would avoid your digital footprint being recorded. Even if you distance yourself from social media, there are other ways you will be caught up and logged somewhere. If you start to think about it, it's crazy. So you have to be rational about the digital bits and pieces that you leave in this world, but don't be paranoid about it.

At the same time, you have to be aware of the dangers that it might create and be rational and reasonable about potential inquiries and incoming messages about your social profile or phishing emails. It's all about common sense and understanding of how this vault of data is structured. So I would imagine that with all those incidents involving your social media profiles information combined and collected in a variety of ways, there will be more of that in the coming years, but they won't be such news breakers because it's pretty much out there already. It's only a matter of time until it'll reappear again, in one way or another.

Varoon:

I'm curious – more with an eye towards the security considerations that such political candidates should be thinking about – what would you tell them, given that many of them it seems, at least based on some of the work that we have done, are very quick to embrace the idea of running a big data-driven campaign, but are not as quick to think about the risks involved in doing so? If you were to give a candidate advice, about the things that should be on their mind in terms of digital security, what would you tell them?

Bob:

You need to educate yourself on cyber hygiene – at least the very basic principles of how cyber hygiene works. I can barely think of anyone in our political environment who really thinks about that. And I would suggest that will be a must for anyone doing digital campaigns or going forward on this path in the future, because there are a lot of claims about how they care about data security, about privacy of their users' data. But the reality is that's only proclamations. They really don't consider that as an important part of the program or that it really needs to become part of their political promise, that the data they collect from the very beginning, when they are in place, they would protect it as it were their personal information and prove that with educational activities or active preventative measures to show real action on how they protect their users' privacy and personal information they definitely collect throughout the campaign. That would be really important.

Of course, if you are a target for a sophisticated hacking attack, there is barely a way to avoid your data from being compromised. But the more aware you are of the potential strategy of those who would target your data, the more protected you are, so the less likely it is that the data of your users will be stolen. I'm not talking about a misconfiguration event. I'm talking about a really sophisticated attack by APTs or hacking groups that might employ some technical intrusions onto your computers’ hard drives. So any politician needs to be aware of both passive and active lines of defense when it comes to cyber security and cyber hygiene. That would be really important.

Varoon:

Totally. I think if a political candidate somewhere in the world is very intent and keen on running a data-intensive campaign, I think they need to live their values. They can't claim to care about digital security and yet put out digital products that claim to protect people's security in the process. That's an absolute contradiction.

Bob:

And just to add to that, in most cases with political organisations – we even discovered Donald Trump's campaign email credentials left online – it was almost impossible to get in touch with the people who were responsible for keeping that data secured. There were no dedicated emails for responsible disclosure for security or privacy alerts. And obviously, there was no proper response to any of our emails when it came to alerting a politician or politically related organization about an exposure.

They are the slowest and most non-responsive organizations when it comes to incident response. So that's really a shame and I wish the situation changed in the future with that piece of advice that I just gave. So just create a dedicated contact for your campaign when it comes to reporting an issue from a Whitehead security researcher, perhaps that would solve a lot of issues with your users’ data. With a few of those who respondent to our alerts, to my alerts, most of those were really aggressive about the finding the same fact of this data being found somewhere. That's another side of the story.

Varoon:

I understood that there was a case recently in which you tried informing the Calgary Parking Authority of a security lapse on their part, but they never responded to you. Though it sounds like the owner isn't even known in this Elasticsearch database. How do you adhere to the principles of responsible disclosure when the parent organizations are unreceptive or unknown in the first place?

Bob:

So we really don't publicize things before they are secured in order not to create any hints to someone with malicious intent, trying to find this piece of information and grab it, sell it, compromise it. But there are a few cases when data remained online for years and the responsible party was completely non-responsive. And in that case, we usually contact host providers to force them to take down those IPs or at least contact the owners of data. So we sent abuse reports to them.

But in some cases when hosting providers aren't Amazon, Microsoft, or Google, or other big players who obviously take these things seriously, there are a lot of small providers that if located outside of Europe or the US, they are completely non-responsive similarly to the owner's data. The process might take months to get this data down. And when it is secured one way or another, then we usually publish this in order to raise awareness that this data probably was seen by anyone at that time, given the amount of time that it was online. So that creates additional risks for those whose information was exposed.

Varoon:

As you were saying earlier, the tools that you employ are relatively unsophisticated, not to disparage your own approach at all. But I think you yourself said it was “not rocket science,” I think was the term you used earlier. And yet there seems to be, when some of these cases arise, a clear interest in the part of the parent organization to frame the methods that led to the exposure as ones that were exceptionally sophisticated. And so there is this confusion, sometimes intentional, about sophistication and complexity made in security. I'm curious to hear your thoughts on this and more importantly, what consequences you think that this confusion has in practice?

Bob:

Well, for any company that I would report a data breach, that event would be described as a sophisticated cyber attack, so that's a rule. You want to go and publicly admit that it was just a production database password left by a developer.

Varoon:

Admin, admin.

Bob:

Yeah. That would still be a sophisticated cyber attack. And in 99% of cases, the audience, users, customers, they would feel that there is not enough transparency in this communication because the company would want me to, any sort of misconfiguration like that. That's perhaps the best way to answer, or at least formulate my thoughts on that matter. In the public environment, there will always be a sophisticated attack rather than plain text password found somewhere on the web. You won't hear it on the conferences or somewhere else, only in informal communications. But like I mentioned, from my experience, 99% of cases reported by me, or reported by someone else, or the information that was stolen, either as a result of a simple misconfiguration or some really, really unpredictable thing happening.

Varoon:

Do you think that one of the reasons why seemingly simple exposures are framed as complex is related to a gap in journalistic understanding of the mechanics of identifying some of these? I realize this is a broad generalization. Why is it that you think the narrative tends to be so uniform in public discourse?

Bob:

My assumption would be that this is done with the goal of avoiding any public shame, as well as fines and other things related to legislative measures. So if you exposed your data in public and it was your mistake, then you would probably be fined. And that amount would be surprising for any company. But if you would say that it was a result of an attack or hacking intrusion, then this is someone else’s fault. It was beyond your capabilities to prevent it. It was a DDoS attack or an insider threat that was beyond our control, and that's why we are not so responsible for that incident. So the only thing we can say is that we are sorry, and that won't ever happen again. At least we will strengthen our security perimeter. That's perhaps the more viable excuse for agencies.

Varoon:

I've worked with some scholars who say that at the end of the day, GDPR and CCPA are not so much solving the problem as much as they are changing the way we talk about the problem. And maybe changing the way we talk about the problem is a form of progress, but that's still different from actually solving the underlying problem itself.

Obviously as part of your work, you also inform law enforcement, I'm sure from time to time of disclosures. I'm curious from your point of view, what your thoughts are on the law's effectiveness or lack of effectiveness in solving these problems are? Or even not necessarily just effectiveness, but the law's potential to solve these problems, even if it's not solving those problems right now.

Bob:

I see at least one good outcome of all those legislative measures. They oblige the companies to create proper privacy policies on their pages, which in turn, creates at least one valid channel for security researchers like myself to report the problem directly to the company. And in some cases, of course, those emails bounce back or they don't reply, but at least there is this established channel of communications and that's encouraging for the community. At the same time, those measures also created this level of fear or some positive fear that the companies needs to feel about losing their customers' data. And when they respond to our requests, they also fear the possible consequences that the public disclosure might have. They really want to comply with all those regulations and to work proactively with the security community to mitigate the risks connected with the consequences of the GDPR violation, for example.

They also create necessary positions inside the companies as any compliance officers and additional people who would check up those emails. This creates this at least imitation of work that sometimes is helpful. So I only welcome that initiative and I think that created many positive ways for researchers and companies to work together and to reply to all those potential threats to the data of their customers.

Varoon:

I'm curious to just zoom out a little bit and hear your own speculations, if you feel comfortable sharing them, about how you envision these problems being solved or not solved down the road. Perhaps part of that might reflect, to some extent, what you feel the problem really is – why it is that security and privacy tends to be so undervalued on the market? I've spoken to some people who say that we will enter a future in which privacy-conscious tech products are going to be the new, organic food where people will pay a premium for them, for access to digital technologies that respect their security and privacy. And it will start as a luxury good, but over time it will come to be more and more accessible to more people. And only by understanding our digital security and privacy as a personal good or personal liability will we begin to actually see these problems solved.

I just say solved because of course, I think the possibility of a future in which only people with capital or money have access to online environments or experiences that protect their digital security is maybe not a solution at all. But this is one idea that I've heard about how some thinkers think this problem actually will unfold in the future. As someone who identifies so many lapses of digital security practices all over the Internet, I'm curious to hear your thoughts on the bigger picture of how you see these problems unfolding or being solved or not being solved in the future?

Bob:

Yeah, that totally makes sense, that opinion that you just mentioned. And myself, I'm a believer that the whole situation would change only if everyone would be aware of the issue, not only on paper, but also with the mindset properly set up, and when cyber hygiene and education would be part of our culture. That's something that needs to be raised from the early school days, when kids needs to be taught about cyber threats and more importantly, the ways they may want to do in order to prevent their personal data from being exposed. So I do have a lot of trainings and webinars with all those scenarios and takeaways when you can learn about the tools and methods, which are not so complicated, that can be used on an everyday basis and literally they get to be part of our everyday life. It's like brushing your teeth.

My take on this is that only when we are all educated that situation will change. It pretty much resonates with the COVID situation, with the pandemic that we see right now. Only when you have this collective immunization or when everyone is vaccinated with their dose of cyber hygiene immunity, then we might see the end. But the threats, the viruses, they’re always changing. So at least the knowledge itself might be a good weapon against them.

Please note that this interview has been edited for clarity and brevity.

The influence industry is led since 2016 by Tactical Tech’s Data and Politics team addressing the pervasive data-driven technologies used by political groups within elections and political campaigns.

This interview was edited by Cassiane Cladis.