Travis Taylor:
Hello.
Adam Levin:
Hello, darling.
Beau Friedlander:
Oh, we guys love you too. Hello.
Adam Levin:
Oh.
Beau Friedlander:
Travis?
Travis Taylor:
I’m feeling very gentile here.
Adam Levin:
Okay. Apple, Google, and Microsoft. They all announced plans to end the password as we now know it.
Travis Taylor:
That’s dumb.
Adam Levin:
Really?
Beau Friedlander:
I don’t like it. I like having passwords and I don’t want to talk about that anyway.
Adam Levin:
But that means I can’t use Beau123456 as my password anymore.
Beau Friedlander:
I still don’t want to talk about-
Adam Levin:
Or Travis9876.
Beau Friedlander:
Why don’t you ask me what I do want to talk about?
Adam Levin:
Okay. Travis?
Travis Taylor:
Yes.
Adam Levin:
What do you think Beau wants to talk about today?
Travis Taylor:
I think he wants to talk about how his password was still-
Beau Friedlander:
No, no, no. You telling… Guys, I want to talk about the… No. I’ve been spending the last three days, and you know this, I can’t believe neither of you are like, “Duh, we want to talk about your scammer.”
Adam Levin:
Let’s start with, I hear rumors that you have been jousting with a scammer.
Beau Friedlander:
You don’t get a do-over. All right. Fine. You get the do-over.
Adam Levin:
No, it’s not a do-over.
Travis Taylor:
I think it just qualified as snark.
Beau Friedlander:
Snark? Listen.
Travis Taylor:
Not do-over.
Beau Friedlander:
I’m going to tell you Adam.
Adam Levin:
Is that anything like quark snark?
Beau Friedlander:
No. Quark is a German dairy product. I-
Adam Levin:
That’s dark.
Beau Friedlander:
Well, or a nano particle, but I-
Travis Taylor:
We’re doing this on a LARK.
Beau Friedlander:
Guys. I almost knocked it out of the park. I almost knocked it out of the park and ask me how.
Adam Levin:
How?
Beau Friedlander:
Well, okay. Well-
Travis Taylor:
Because you’re like a shark.
Adam Levin:
Beau? Beau?
Beau Friedlander:
I was a shark. All right. No more rhyming. I’m serious. All right.
Travis Taylor:
Okay.
Adam Levin:
I think Beau we’re barking up the wrong tree.
Beau Friedlander:
Oh my God. I’m not going to tell you my story anymore.
Adam Levin:
Oh, come on. You met a guy in the park.
Beau Friedlander:
No, I met him on Instagram and he offered me 5,000-
Travis Taylor:
And there was a spark.
Beau Friedlander:
I hate you guys. Hate. I actually hate you guys. I’ve known you too long and you’re taking advantage of my niceness. All right.
Travis Taylor:
That was a reach.
Beau Friedlander:
That was terrible, but it was all terrible. And I still don’t like you, but here’s-
Travis Taylor:
Okay. Back to passwords.
Beau Friedlander:
No. Instagram-
Adam Levin:
Instagram scammer. A man is trying to scam you.
Beau Friedlander:
A person-
Adam Levin:
A human.
Beau Friedlander:
A human by the last name of Davis, according to his what-cha-ma-call-it. Thomas Davis. Hi, Thomas. Thomas Davis.
Adam Levin:
Thomas.
Beau Friedlander:
He won 390 million dollars in a lottery. 390 million.
Adam Levin:
390 million dollars.
Beau Friedlander:
Yeah. He got in touch with me.
Adam Levin:
Yes?
Beau Friedlander:
Because he wanted to spread his money around to people who needed it. This dude offered me $5,000 and I was super excited and I wrote back to him and I think I told you, Adam. I sent you what I wrote back to him. I don’t remember what wrote though.
Adam Levin:
No, no. I saw the back and forth. It’s actually very inspiring from the standpoint of non-scammers.
Beau Friedlander:
I wrote, “Yes!” Yeah, yes. Exclamation point. And he said, “Well, do you have a CashApp, PayPal, Zelle, or Venmo to receive payment? Are you following my Instagram account?”, because that was the deal. You had to follow his Instagram account. That was it. You got five grand. I said, “I’m following. I have Venmo. Is there a tax issue? I worry about scams where money is sent and then canceled. And in between overpayment is made and requested and then I’m out the money. I co-host a show about scams, so I’m super cautious. Hey, you want to be on the show?”
Adam Levin:
Yeah. Let’s bring Tom on.
Beau Friedlander:
I wrote back to him, “Amazing.” And he said, “You don’t need to be scared”, he says to me, “I’m real and legitimate and you are with the right man. I’m going to need you to send me your Venmo username so I can send the money. And also your valid email address.” I said, “Okay. I just tried to get into my Venmo account and it seems to be locked”, because I didn’t want to give him my real Venmo. I said, “My best friend is a tech guy”, that’s Travis, “and he’s dropping his kids off at school right now. He said he’d help me when he’s free. Shouldn’t be long. I can’t believe my rotten luck.” And then I sent him a lot of emojis that expressed my rotten luck. Travis, what were you going to do at this point?
Travis Taylor:
I was going to set up a burner phone number, a separate Venmo account, separate email address, just to make sure that we had a bit of a buffer between ourselves and this guy.
Beau Friedlander:
Adam, he has like the Jeopardy waiting tune, “dun, dun, dun, dun”, he’s like sitting there waiting for me and I go, “He says, “Okay, right?” He’s like, “Cool.” Here’s the kicker. He goes, “So you’ll have to pay $30 to my personal assistant account registration fee.”
Beau Friedlander:
I wrote back, and this is where it got funny, I go, “Are you kidding me? I got to wait for my friend. Wait. Totally. Wait. He asked me to ask you, “If you have 390 million dollars, why do you need me to send 30 bucks? Sounds a little fishy.”
Adam Levin:
I’m dying to hear his response.
Beau Friedlander:
Well, I also said, “Would you be on our show about scammers? I promise not to turn you in, which we could do. Since we have worked with a retired secret service agent and a white hat hacker with close ties to the letter agencies, eh, I just want to interview an authentic smalltime swindler. Is it possible? We can disguise your voice and you can tell us funny stories about people who fall for this nonsense.”
Adam Levin:
Was he offended when you referred to him as a smalltime swindler?
Beau Friedlander:
No, it was so funny. I wrote back, “Well”… And then I ended, I said, “We’ll give you $250.” He writes back, “LOL.” L, O, L.
Adam Levin:
Well, hey that’s more than 30.
Beau Friedlander:
He said, “I’m using this opportunity to support the community and in this hard times.” Now he starts to show that he’s in a boiler room.
Adam Levin:
Did he send you his five oh one C three papers?
Beau Friedlander:
Yes. No, he didn’t. This hard times, we have like that’s red flag numero uno, right? And, then besides the whole thing, and he goes, “I really want to help more people with my winnings. The $30 is for registration.”
Adam Levin:
Ah.
Beau Friedlander:
You know, I wrote back “A thousand dollars.” He wrote back, “Are you ready to pay for the registration fee and receive your money??” Two question marks. I wrote back, “Come on, we already know the scam. We’d like to interview you. It’s more than you make with a bunch of $30 idiots. Come on.” “LOL”, he writes back. “Easy money”, I write back, “I’ll tell you what. I’ll put a thousand dollars in your Venmo account. And then another 5,000. When you do a one hour tell all interview, what do you have to lose?” He has not responded to me.
Adam Levin:
Maybe we should send him like a group communication.
Beau Friedlander:
I mean, I’m going to tell him to listen to the podcast. Thomas Davis. Adam, invite him, come on.
Adam Levin:
Thomas Davis, wherever you are, whoever you are. We need you to listen to this podcast. And by the way, as you’re listening, if you could go to Apple and give us five stars, that would be great too.
Beau Friedlander:
What is wrong with you? Saw that happen.
Adam Levin:
Welcome to “What the Hack”. A show about hackers, scammers, and the people they go after. I’m Adam Levin, cyber rabbi.
Beau Friedlander:
I’m Beau, cyber baptizer of strangers in a madcap way until I get my head cut off.
Travis Taylor:
And I’m Travis, cyber fist of Conchu.
Adam Levin:
And today we’re talking with a former privacy officer at Microsoft and the Kurt Global Head. Get that, Global Head of Security at a vast. Please welcome, Jeff Williams.
Beau Friedlander:
Jeff Williams.
Jeff Williams:
Beau, it’s been a hundred years. How are you doing?
Beau Friedlander:
It has been 130 years.
Jeff Williams:
130, [inaudible 00:08:35].
Beau Friedlander:
131 years.
Adam Levin:
Actually that was when Beau didn’t have a beard.
Beau Friedlander:
No, Jeff knew me when I had one side burn and I worked in the snack shop.
Jeff Williams:
Indeed.
Beau Friedlander:
Yeah.
Adam Levin:
Oh, I thought that was during your past days Beau.
Beau Friedlander:
No, that was just a one side burn thing to be disturbing. And I worked the cash register at the snack bar.
Adam Levin:
Well, the good news is you don’t need just one side burn to be disturbing anymore.
Beau Friedlander:
No, I just have to be… That’s very nice of you.
Travis Taylor:
Was this in commons or- Y.
Beau Friedlander:
Yeah, it was in commons.
Jeff Williams:
And now you’ve got me thinking about those cheeseburgers in the snack bar, which there has never been more pleasure condensed into three dollars and 50 cents anywhere since.
Beau Friedlander:
I agree. Those cheeseburgers were magic. Jeff, Adam doesn’t believe we went to school together and now he thinks that I studied acting.
Jeff Williams:
You were a Lit major, right?
Beau Friedlander:
I was a Lit major. And you were-
Adam Levin:
He was always lit when you guys were in college?
Beau Friedlander:
I was always lit.
Jeff Williams:
Majorly.
Beau Friedlander:
I was always lit, but Jeff, you were a drama major, correct?
Jeff Williams:
Yeah, I… technical theater. So I started in drama and then realized as I was in classes with Pete Dinklage and Justin Theroux that I didn’t want to eat Ramen for the rest of my life. And if that was going to be my competition, I’d probably end up that way.
Beau Friedlander:
True story. We did have both Pete Dinklage and Justin Theroux were there at the same time.
Jeff Williams:
Yeah, they’re both very cool.
Beau Friedlander:
Well, it was good to go see the plays. The plays were quite good. Jeff, how did you get from VAPA at Bennington College to become the Head of Cyber Securities. I don’t know if that’s your title, but the Head of Security at Avast.
Adam Levin:
Not just Head, Global Head.
Jeff Williams:
I am the Global Head. Well, having gone to Bennington, my head was big to begin with. So going Global with that was just a natural progression. No, but seriously, as I think about the history, it’s really been a series of being in the right place at the right time and being smart. I fell into going into technology because I didn’t want to eat the ramen. I intended to be part of the film industry, but I wasn’t related to anybody. There was a serious downside in trying to get jobs for pay that people were willing to take for free to get a credit. I ended up moving into computers, which I’d always had a natural aptitude for. I’d been doing since I was six or seven, and it turned out they wanted to pay people to do that. I thought that was pretty keen.
Beau Friedlander:
Did you actually go to Hollywood and try your hand at getting into the movies?
Jeff Williams:
I did Hollywood and San Francisco.
Beau Friedlander:
And then you’d started studying computers out there?
Jeff Williams:
No, I didn’t study. It’s something I’ve just always done. So-
Beau Friedlander:
Oh, oh.
Adam Levin:
Since we’re on the subject of Hollywood, what’s your favorite movie?
Beau Friedlander:
You did not.
Jeff Williams:
That’s like asking a parent who their favorite child. How do you pick one?
Adam Levin:
All right. Top five.
Jeff Williams:
My top five children?
Adam Levin:
No.
Beau Friedlander:
Nicely done. Jeff. I love you more.
Jeff Williams:
I think at least three of my top five favorite movies are Blade Runner and the different versions that have come out.
Beau Friedlander:
Wow. All right. That’s an answer. That is an answer.
Adam Levin:
Excellent taste. Ridley Scott would be proud.
Travis Taylor:
How about your favorite hacking movie?
Beau Friedlander:
Do you have one?
Jeff Williams:
You know, we end up talking about this at work periodically is we try to come up with backdrops for all hands meetings and things like that when we want a theme. So I’ve gone through all of them. The obvious answer would be to say Hackers, which-
Travis Taylor:
True.
Jeff Williams:
Just because it’s so much fun, but I think I’m going to go with Spy Game.
Travis Taylor:
Oh, nice.
Beau Friedlander:
Spy game. Good one.
Adam Levin:
Jeff, after you were in college with Beau, but before you were Head of Security at Avast, you worked for Microsoft in the early 2000s, right?
Jeff Williams:
Absolutely. Not too long thereafter is when we started to see viruses and worms just hitting everybody. You think about Sasser, Slammer, Blaster… You couldn’t turn your head at that point and not see 10 or 20 or 30,000 computers getting hit by some new worm, was always in the press. It was always something you’d read about. And it was hard to stop because the software at the time security wasn’t on by default, I mean, we’ve come a long, long way in the last 20 years. But at the time it was kind of a free for all with the miscreants. People who were trying to make a name for themselves. It hadn’t even really gotten to the point of monetization, but then everything started to change. We saw this acceleration. At Microsoft, I ended up in a variety of security and privacy roles. Security architect, later, Divisional Privacy Officer, and then, ultimately, a senior member of the Malware Protection Center.
Beau Friedlander:
Were you ever a part of the Microsoft Digital Crimes Unit?
Jeff Williams:
I worked in parallel with the Digital Crimes Unit. I was the liaison between the Malware Protection Center and the Digital Crimes Unit. And the work that I and members of my team were doing was to select the targets for take down and to provide support on analyzing the malware itself and providing information so that the Digital Crimes Unit could do their work. And they did excellent work. They had technologists as well as lawyers, which is a really good combination for that kind of work.
Travis Taylor:
Right. I think I just want to roll it back a little bit for our listeners. When you refer to worms, I know they’re not quite as popular as big of a cyber threat right now. What exactly was a worm or is a worm?
Jeff Williams:
A worm is a piece of malicious code that can infect a computer. And once that computer is infected, use that computer as a launching point to infect other computers.
Beau Friedlander:
Now, is this like Stuxnet Jeff?
Jeff Williams:
Stuxnet, I believe, is in fact a work.
Beau Friedlander:
Okay. How are they different from a botnet?
Jeff Williams:
A botnet is a collection of machines which have been infected. And usually there’s a command and control infrastructure where the bot herder, the person who owns the botnet, can send commands to all the infected machines to do a thing.
Adam Levin:
They’re like a robot army, right?
Jeff Williams:
It’s very much like a robot army and the things that they can do are whatever the attacker has coded them to do. They can send spam, they can do denial of service, they can install new software, new malicious software, anything that you can code up. And over time we’ve seen a real evolution in the capability of these botnets.
Jeff Williams:
First, from single purpose, doing something stupid, like denial of service all the way up to something that’s criminal in nature and monetary in function, whether that be ransomware or spam for profit or phishing or any number of things. And some even do a combination of this and the ones that do a combination of this ended up being turned into crime as a service in many cases where the bot herder will sell access to their botnet because they could do all these things. Other criminals, who might not have the capability to build their own botnet, could join in the fun and do their bad things using the same botnet.
Beau Friedlander:
And now to be clear, some of the crimes we’re talking about were like the ubiquitous, oh, there’s that big word, emails that we saw advertising drugs. And, as we know, those drugs weren’t always real and they could be very dangerous.
Speaker 5:
Absolutely. There was a lot of counterfeit pharma being sold through spam. You saw marketplaces getting stood up. The Canadian pharmacies selling V1 Agra and similar things to-
Adam Levin:
That’s why doesn’t work.
Beau Friedlander:
Oh, poor Adam. No, you should have… You never buy off brand Viagra. Poor guy.
Travis Taylor:
All I can say is my C1 Alice seems to be working perfectly, but-
Beau Friedlander:
Oh, wow. Wow. What, but besides selling drugs, what else? Like what kind of crime? I know I’ve heard of ransomware as a service, but crime is a service predated it I’m guessing.
Jeff Williams:
It did and it wasn’t just Viagra and Cialis. It was any luxury goods. Any brand that you would recognize, whether that be Verne or Rolex or, or whatever. And it could be real, it could be fake. Some of the things that were being sold online were real. The criminals would go out and steal credit cards and they’d use those credit cards to make purchases. And then they’d have all this merchandise that they didn’t really want. The secondary portion of the attack was to fence the bad, the good…
Beau Friedlander:
You get, you could get a $10,000 Rolex for a 1,000 bucks or 500 bucks. Real, real thing.
Jeff Williams:
I’m just going to say conceptually because I never did any test purchases.
Beau Friedlander:
No. We did a recent episode with Brian Ebert, who was the Chief of Staff for the Secret Service. And he walked us through exactly that sort of scam.
Jeff Williams:
I’m pretty sure that they did test purchases. That would be good evidence award.
Adam Levin:
What is the biggest current marketplace right now for cyber crime?
Jeff Williams:
Oh, the biggest current marketplace, I mean, that changes all the time. And one of the good reasons that it changes all the time is that Europol, and the FBI, and the Australian Federal Police have gotten really good at taking them down. If we think back to when I was getting into this, law enforcement wasn’t super excellent at taking down these sites. They didn’t always have people on staff who had these technical skills. One of the early things, even before the Digital Crimes Unit at Microsoft stuck was stood up. There was a need for companies like Microsoft and some of the other majors to go out and help law enforcement learn these skills. That was when I first got into this around the time of Zotob, which was a worm that happened in, I think, 2005. And that was one of the first things that I was involved in the take down space. And that one, I wasn’t really very much involved in. I was aware of it, provided some information to some of the people who were doing the active work.
Beau Friedlander:
It sounds like in the very beginning, like back in 2005, when you were getting into this world, the police really had no way of making arrests in these or take downs or anything like that, because they had no idea even that these things existed. Am I right?
Jeff Williams:
Yeah. Not only was there not a high level of skill in some of the law enforcement agencies, but there were also weren’t laws on the book that specifically applied to things on the internet. Where exactly does a crime take place on the internet? Is it on the attacking computer, which might be in country A, or is it on the victim computer, which is in country B, or is it on the ISP that’s in between them or the five ISPs in five different countries that are in between them?
Jeff Williams:
The jurisdiction really becomes challenging. The interesting thing with Zotob, and I’m really impressed with the work that was done there is because they’ve got arrests and prosecutions against the people responsible, which I think is one of the best outcomes you can have in one of these cases, they actually used money laundering and other laws that were already on the books that weren’t specific to the internet. The authors who were… One was an 18 year old in Morocco, and the other was a 21 year old, who was in Turkey were actually prosecuted in their local jurisdictions using these kinds of traditional laws.
Adam Levin:
Since we’re talking about favorites today, you got a favorite story from your work in security you want to share?
Jeff Williams:
I think the best one to talk about today would be the Rustock take down, which happened in 2011. This is after the Digital Crimes Unit had stood up and they’d done a couple of take downs already with Kelihos A and Waledac, and had some great partnerships that they built with law enforcement, and with the ISPs, and the computer emergency response teams for countries around the world. Because when, when you do a take down, it’s not just enough to dismantle the infrastructure. You’ve got all of these computers that are still infected. And if another criminal came along and said, “Oh, there’s a fly in how you took that down, I’m going to go take over that botnet.” All those computers would be back up doing their crimes again.
Jeff Williams:
Cleaning up the computers becomes really important. As I was part of the Malware Protection Center at Microsoft, and one of the things my team was responsible for was the malicious software removal tool. The natural thing was for us to work with the ISPs and work with the certs around the world to give them custom tooling so that they could do the cleanup after the botnet take down happened. The Rustock take down in 2011, the Rustock botnet was about somewhere between one point five and two million infected PCs. Really, really huge compared to what had come before, which you would’ve measured in the tens of thousands.
Beau Friedlander:
This was the biggest to date?
Jeff Williams:
I don’t know if it was the biggest to date because Conficker was around the same time and Conficker was also quite large, but it was a new scale. And it represented the criminal monetization efforts. When you’ve got a monetary incentive to do this, you might work a little harder and go a little further and bring in additional resources because you know there’s going to be a payoff. Rustock was one of these Swiss Army Knife, crime is a service bot nets and it was pushing out just ridiculous amounts of spam.
Jeff Williams:
My role in the Malware Protection Center, in addition to doing the malicious software removal tool also did anti-spam research. I went to the research team, Terry Zink in particular, and Terry looked at the data to see where was the most prevalent… Which botnets were most responsible for the global spam problem. Not just in terms of the volume of spam, but the difficulty in removing the malware associated with it, the persistence, the longevity of the botnet. We looked at it from a lot of different angles.
Travis Taylor:
I think most people view that as being irritating, but how is that a cybersecurity threat?
Jeff Williams:
Well, a lot of spam has links it and it’s the links which are sometimes malicious or lead to an action that a person might take bits against their interest. Buying something counterfeit, or giving away information, or giving access to their own computer inadvertently.
Beau Friedlander:
Why is it interesting to Microsoft to stop them Jeff?
Jeff Williams:
Microsoft’s interest was really to protect the Windows ecosystem and protect Windows customers because it had become such a pervasive problem that it was impacting the brand. That people were equating poor security with Microsoft. Microsoft had done the big standup of trustworthy computing saying, “We’re going to change all of this and we’re investing.” And they took all the developers of Windows and made them stop developing codes until they learned security. And then they could go back and develop their codes securely. A lot of things just fundamentally changed overnight with that memo in 2003, that Bill Gates sent her out.
Beau Friedlander:
Well, didn’t Bill Gates claim that he was going to eradicate spam forever?
Jeff Williams:
Yes.
Beau Friedlander:
How’d that work out?
Jeff Williams:
Unfortunate statement with great intent behind it. And the idea was that spam is a technology problem. Technology problems have solutions. Smart people can come up with good solutions to technology problems. But what the thinking didn’t include is that it’s not a technology problem. It’s an adversary problem. And the adversaries will iterate on their attacks, anytime their attacks stop working, or anytime they can make their attacks better.
Jeff Williams:
The idea behind Bill Gates statement about eradicating spam was to use this old concept called Penny Black. If you think about the original postal system, the early days of the postal system, you could put a Penny Black stamp on a letter and the person receiving the letter would have to pay the tax. This was a technology version of Penny Black, where there would be a computational challenge that the receiving computer has to… Or the sending computer has to do in order to send the mail. And that computational challenge for one male, not very impactful, just like a penny isn’t very impactful to send a letter. But if you’re sending a million pieces of spam, if you’re sending a million pieces of spam, then that’s a million computations that have to be done and that’s intensive on the computer. You need a bigger computer or more computers, and we’re going to do it.
Adam Levin:
All right. The first question is how successful were these spam bot attacks?
Jeff Williams:
Hugely successful. I think that at one point spam accounted for 91% of all internet traffic.
Adam Levin:
Wow. All right. In this case, you pretty much could say that technology doesn’t always, or even often, solve cybersecurity problems.
Jeff Williams:
I think that’s a miscasting of the technology. Technology isn’t solving problems. It’s the application of technology that solves a problem.
Beau Friedlander:
Yeah, no, but I think, I think I would’ve said it the same way. I get the difference, but the way that you put it is absolutely brilliant. That there’s an adversary problem.
Jeff Williams:
Yes. Yeah. I mean when you think about it, the difference between use and abuse is only two letters. There’s not a big gap between using technology for good and using technology maliciously. It’s dual use.
Travis Taylor:
When you take down something like a huge botnet like this, what’s the overall impact?
Jeff Williams:
Well, in the case of Rustock, the impact was actually pretty huge. And, as I mentioned, it was the most impactful spam bot at the time. And when the take down happened, global spam was reduced by 75% overnight. Wow. And that lasted for a number of months until the bad guys came back with new botnets… Or the people who were buying crime as a service bought crimes as a service from other botnets, and started over with some other.
Adam Levin:
Overnight 75% drop.
Jeff Williams:
Overnight, a 75% drop in spam globally.
Beau Friedlander:
Bill Gates’s promise game true and he loved you.
Jeff Williams:
We tried. I don’t know if Bill Gates even knows my name, but that’s okay.
Travis Taylor:
What do you think law enforcement learned from that? And then also, what do you think other cyber criminals learned from that take down?
Jeff Williams:
Well, the legal side of this, I think the biggest thing that came out of Rustock is that Richard Boskovich, who was heading up the Digital Crimes Unit still isn’t doing the Digital Crimes Unit, he came up with what I think is a pretty novel legal approach. Because the spam was targeting brands like Viagra and Rolex and whatever, he treated it as a trademark problem. Worked with the court under the Lanham Act to allow the seizure of those servers as part of a trademark infringement claim. Really kind of interesting approach to going after the criminals directly.
Beau Friedlander:
That’s like a very unique setup that Microsoft had where they had put together technologists and lawyers to figure out strategies to actually stop these people. And trademark was the workaround that they found.
Jeff Williams:
Absolutely. The combination of a legal and technical approach is so much better than just going after from a technical perspective. The team could have pushed out malicious software removal tool until the cows came home and there’d still be new malware infecting machines and so on. It’s playing whack-a-mole. But when you get the legal side of it right, then you’re not only taking the infrastructure, but you create the shilling effect. In some cases you might actually go after the individual. A lot of these cases are filed as John Doe cases. You don’t know who’s responsible, but you know there’s a responsible party. When the cases are filed, it’s against John Doe. And then as you collect more information, like you might get from the forensics of examining servers taken from a co-location facility which the attackers had connected to from their home machine, then all of a sudden that John Doe can turn into an actual person, and that person can be charged with crimes. And if you get an arrest, like I said, that’s the best possible outcome.
Adam Levin:
Did brands get involved in the prosecution?
Jeff Williams:
I believe that there were brands involved. I think that Pfizer wrote Amicus brief in support of the case. I think there was another brand, but I don’t know if they’ve gone public about who it was. I don’t know if it’s a public record, but there were definitely luxury brands being harmed. And the court looked at this as not just a technology problem, but a business problem.
Adam Levin:
And because of this, you, people were able to seize the infrastructure and use these seizures in order to do more forensic analysis. Right?
Jeff Williams:
That’s right. That’s right. And that forensic analysis of servers can lead to things like if the criminal is really good about masking the machines that they’ve infected, never connects to them because they have a command and control infrastructure. If they connect to the command and control infrastructure from their own machine, without sophistication of any kind, that leaves these digital breadcrumbs that can then be followed in a traditional law enforcement way from an investigation perspective. If I see that IP address one dot two dot three dot four connected at 10:17 PM to this server that I know was involved in the command and control. Then I can go to the ISP and say, “At that time, who had that IP address?”
Travis Taylor:
I think one of the main things I’m kind of wondering about here is, if you can walk us through what the forensic steps were to be able to both identify and then to be able to take down this operation?
Jeff Williams:
Sure.
Travis Taylor:
And Beau and Adam, please let him speak.
Beau Friedlander:
Will do, will do.
Jeff Williams:
The case preparation took several months, and it was not just the legal side of thing, getting the story that the court had to be told in order to get the outcome that was desired to seize the servers and so on. But there was a technical aspect we had to enumerate the entire bot, where was it in the world? What IP addresses, how many, what countries, and so on. With that information, we were able to go to the cert for each of the countries and the ISPs that were hosting the infected IP addresses that we could see and say, “You have a problem. We want to help you solve that problem. And can we have a conversation?”
Jeff Williams:
This partnership kind of happens in silence. It’s something where it’s part of the investigation. You keep it close to your chest. Operational security is tight. You don’t even talk about it within your own companies. That only the people who are working on it, who have that need to know are involved. When you get all of those pieces in place, then it can go to the court. The lawyers took it to, I believe it was a court in North Carolina, and went to the court and said, “We’d like a temporary restraining order that says we’re able to go and seek the people responsible.” And that was done under sealable so that the court records didn’t spoil the idea that we were going to do this take down. The bad guys didn’t, of course, appear in court to respond to the temporary restraining order. Because they’re a criminal, why would they?
Travis Taylor:
Right.
Jeff Williams:
Why are you going to show up and say, “Yeah, I did that. Leave me alone”, because they’re going to get walked out in bracelets. But the court saw that this was a business problem. This was a technical problem that yes, crimes were being committed, that nobody had stood up to say, “Hey, don’t do that. You’ve got the story wrong and I’m innocent.” The court granted the request to take over the servers and the US Marshall service was called out. I think they went to five or six co-location facilities in the United States. I think there were 96 total servers involved in this globally. I’m not sure of the 96, how many were in the US, but it was five or six locations that they went into hosters and said, “That server right there, I’m going to take it with me.”
Jeff Williams:
And the hard drives from those were then poll contents of them examine and so on. And while that forensic examination was happening, the remediation phase went into effect. Because Microsoft had taken over the botnet, all of the machines that were infected and calling home were now calling home to Microsoft server. IP addresses that had been used for command and control were now Microsoft IP addresses. All that traffic was going to the Digital Crimes Unit and the Digital Crimes Unit was cataloging it by IP address and timestamp. And going back to the ISPs and saying, “Here are the machines that need to be fixed.”
Travis Taylor:
Were the compromised device devices here? Were those computers, routers, IOT devices, or-
Jeff Williams:
Yeah, for Rustock it was computers, the net effect of it. The first seven days after controlling those IP addresses 1.7 million unique IP addresses checked in to the botnet. There may have been more at the time computers that just weren’t turned on, or weren’t connected to a network, but yet were still infected. But 1.7 million in the first seven days. And I think the max number we saw was 2.4 million, so huge, huge botnet. And then that partnership with the ISPs and certs and also I should probably mention FireEye. Alex Lanstein of FireEye was a malware analyst researcher who contributed to the work that was done along with people at Microsoft.
Travis Taylor:
I think one of the things I’d like to just be able to break down for our listeners here is lot the time when we hear about things like malware or botnets, it sounds like it’s this huge abstract concept. In the case of the Rustock, how were those computers compromised?
Jeff Williams:
You know I don’t actually have that answer. There were so many infections happening at the time that to say one infection vector versus another infection vector… It could have been people clicking on things that they shouldn’t have, whether it be on a website or in a spam email that they got from an earlier iteration of the botnet or from a different botnet. It could be people downloading software that isn’t the real thing and so comes with malicious content included. Things they find in USENET groups where they’re downloading things to have cracks or, pirated software. Any number of ways people can get it infected.
Travis Taylor:
Yeah. That totally makes sense. I think one of the whole things about cyber crime is people tend to think like that’s just something that happens. And then they don’t really know that their own personal device can actually be compromised and then leveraged into a spam attack for instance.
Jeff Williams:
Well, and it is just something that happens, but it’s something that doesn’t have to happen. Because if you think today about the guidance we’re giving people about, here are the five things that you could do to improve your security: use strong passwords, and don’t use the same password on multiple sites, and use multifactor authentication, and keep your software up-to-date, and keep your operating system up-to-date. Those things are the same things that we were saying in 2001, 2002, 2003. It’s been the same guidance all along. The challenges that software manufacturers haven’t made it easy for people to do the best thing for security. It’s gotten better. It’s certainly gotten better over time, but it’s not easy yet. The very fact that you need to remember a password to get into a site, but there’s a hundred sites that you need to get into, is something that just creates all kinds of problems. Are you going to use the same password at Amazon that you use at Joe’s Pirated Software Emporium? Or are you going to use-
Travis Taylor:
You can say the Pirate Pay, that’s fine.
Speaker 5:
The pirate pay.
Jeff Williams:
Yeah, you’re right. That was a big one but the idea that you’re not in full control of that password once you have it logged on somebody else’s site is a real problem of identity. If they store your personal information, then all of a sudden they’re the custodian of it. And if they don’t adequately protect it, ends up in some breach that ends up getting sold in those same dark markets. If you go to haveibeenpwned.com you’ll see that there are literally hundreds of millions of email password combinations that are available for sale in the underground.
Adam Levin:
We are the Evangelist for haveibeenpwned. But do-
Beau Friedlander:
Ask him. Ask him Adam. Ask him the password. Ask him the password question, man.
Adam Levin:
I’m dying to ask you the password question. Oh my God. This big drive by Microsoft and Google and Apple to get people to do it another way.
Jeff Williams:
Yep.
Adam Levin:
How do you feel about that one?
Jeff Williams:
I’m absolutely in favor of it. I think the password-less is a very powerful way to get away from a fundamental technology challenge.
Beau Friedlander:
Jeff, Jeff, Jeff.
Jeff Williams:
Yes?
Beau Friedlander:
Did you see The Big Lebowski?
Jeff Williams:
Hold my drink.
Beau Friedlander:
Dude. Well, you remember the nihilists and they said, “She cut her pinky off.” You remember them? What people are going to start cutting people’s thumbs off. I disagree.
Adam Levin:
I don’t see the thumb cutting coming.
Beau Friedlander:
Jeff is stunned by the level of stupidity I just threw at him.
Adam Levin:
Maybe the whole out-
Travis Taylor:
It was a pinky toe for the record. It was actually-
Adam Levin:
Pull out her eyeball perhaps.
Travis Taylor:
Popular singer Aimee Mann’s toe.
Jeff Williams:
I think your scoring of actual risks doesn’t put that one at the top of the list. You can-
Beau Friedlander:
Whatever.
Jeff Williams:
If you’ve got a situation where a criminal has the ability to cut off your finger, they can compel you to enter your password in lots of other ways.
Beau Friedlander:
Not if they’re not Jack Bauer.
Adam Levin:
Stare at this cell phone.
Beau Friedlander:
Okay. Okay. Okay. We let him answer. Now. I’ll stop interrupting. Why do you think it’s a good thing and how will they do it? Is it biometrics? Is it a token? What is it?
Jeff Williams:
Well, I think there’s multiple ways to do it. Biometrics, token, but I think the really important aspect of it is getting to that idea of self sovereignty. That I control my identity. I don’t have to have my identity on a hundred different sites. I don’t have to have my personal information on a hundred different sites. I control it. I control where it goes. If I order something on Amazon, they have my password, they have my address, they have my credit card number, they have my order history, and all the things that go along with it. And then in fulfilling that order, they give my address, name, and other information to UPS so that they can deliver it. They give information to Visa so they can process the transaction.
Jeff Williams:
There’s all of this information that’s going to multiple parties. And that’s even before we start to get to the ad tracking and the cookies and things where my preferences and actions are being profiled. But if I’ve got all of this controlled on my own device in a tightly encrypted manner, and I choose where it goes, then I don’t have to worry about that onward transfer. UPS doesn’t need to know of anything other than my address to deliver me a package. They need to know that it’s authorized, that it should be going to my address, but they don’t need to know my name even. They don’t need to know what’s in the box. They don’t need to know anything like that. Visa doesn’t need to know anything except I need money. I need money from Jeff. And here’s the amount and it’s approved. And Amazon doesn’t-
Beau Friedlander:
I kind of love this. You’re ma-, you’re selling it, man.
Jeff Williams:
Amazon doesn’t need to know my credit card. They only need to know that Visa says, “Yeah, he’s good for it. Go ahead.” This idea of not having all of this sensitive and personal information stored in a hundred different places in order to do the things that we do every single day reduces the risk overall. I think there’s a real power in putting things into the control of the individual as long as the software providers make it easy for the individual to do the right thing.
Beau Friedlander:
Jeff Williams you just knocked it out of the park. I now belong to the church of your way of looking at this.
Adam Levin:
No, we have always said that there’s a shared responsibility and the individual plays in a critical role in cybersecurity and in cyber hygiene. We’re all… this is the same choir. We’re all singing together.
Jeff Williams:
Absolutely.
Travis Taylor:
I think it’s something that people tend to overlook where they look at the Venn diagram between privacy and security as being, not a lot of overlap, but at the same time, yeah. I think you’re completely spot on here where your privacy is a matter of security because the fact that when you know who has access to your information, that lets you know who is able to access your accounts.
Jeff Williams:
Yeah.
Adam Levin:
But let me ask you one question and that is, what if you lose your device in this tightly controlled internet secure world?
Jeff Williams:
Well, you can’t lose the Cloud. If you got your encrypted content stored in the Cloud and available to all your devices and authenticated with biometrics or something else that’s provable as you, then that problem is solved.
Beau Friedlander:
Something you know, something you have, and something you are. Yeah. But Jeff, isn’t storing something on the Cloud just storing something on someone else’s computer.
Jeff Williams:
The Cloud is definitely someone else’s computer.
Beau Friedlander:
Isn’t that a problem?
Jeff Williams:
Depends on the other person.
Beau Friedlander:
That’s like the adversary problem but the reverse.
Adam Levin:
It’s always the other guy. Well, look, the bad guys are always looking for ways to get after you and they’re going to get you.
Adam Levin:
And anything we can do to make it harder for them is going to help us.
Jeff Williams:
Absolutely.
Adam Levin:
I mean that’s the bottom line.
Jeff Williams:
Absolutely. I want to go back to something that Travis said though. He talked about the Venn diagram of security and privacy. Right? And I don’t actually view it as a Venn diagram because I think they’re too intertwined to be separated. I think that security is the how, privacy is the why.
Travis Taylor:
That is an excellent way of putting that.
Beau Friedlander:
I want Jeff to be the president of all things cybersecurity everywhere.
Travis Taylor:
Jeff makes us look like smart for having gone to Bennington.
Beau Friedlander:
Or he makes us look smart for just having known him.
Travis Taylor:
Oh there you go.
Beau Friedlander:
I have a question-
Adam Levin:
Welcome to the Boys Club here.
Beau Friedlander:
As Adam was saying we’re all singing with the same choir. Jeff, did you sing with Randy’s choir at Bennington?
Jeff Williams:
I didn’t sing with the choir, but I did take [inaudible 00:45:02] and I did do super performances and so…
Beau Friedlander:
Okay because I thought maybe that we sang next to each other. I was the worst world’s worst tenor but I guess not.
Adam Levin:
Maybe you guys could sing a cybersecurity song together.
Beau Friedlander:
Would you have a cybersecurity song? How does it go?
Adam Levin:
Sing a song.
Beau Friedlander:
No, no, no. Stop.
Adam Levin:
It doesn’t have to be long.
Beau Friedlander:
Please stop.
Adam Levin:
Try not to be wrong.
Adam Levin:
As we wrap this up and we are eternally grateful for you sharing a few moments of your life with us, although apparently you’ve shared part of your life with some of us before the rest of us. What tips would you throw out there for people since we are the ultimate guardians for ourselves, our families, our companies… We are ultimately, so what tips would you do?
Jeff Williams:
Well, I would say that just be cognizant of what you’re doing online and the providers who you are trusting with your data, what are they doing? If you think about things like, any social media site is not really serving you. They’re serving advertisers, and they’re serving other data aggregators, and they’re profiting on your information. While it’s not a bad thing necessarily because they provide a free service to you in the process. Free in quotation marks. You’re paying with your data and information about your activities. Just be aware of what you’re doing and know that other people are going to see it. People beyond just your friends and the whole idea of surveillance capital, the underpinning is that for person A to communicate with person B, person C has to make a profit from the conversation.
Jeff Williams:
It’s a situation where we’ve really backed ourselves into a corner with the internet itself by building everything on this. And I think that the way we take that back is by putting control into people’s hands. Password-less and self sovereign identity and some of the other things that are starting to come to more prominence, the web three ideas I think are very, very powerful. And I hope that it democratizes information again instead of putting it in the hands of a few very powerful entities.
Beau Friedlander:
All right. Thank you Jeff so much.
Travis Taylor:
Thanks a lot, Jeff.
Jeff Williams:
It was a pleasure to be here. Thanks everyone.
Travis Taylor:
Right, thanks.
Adam Levin:
Jeff said that after the Microsoft team took down the Rustock botnet, in just a few months the bad guys moved on, spam levels rose again. And he said the same tips that he was giving people back then, are still tips he gives out today. Are we just doomed?
Beau Friedlander:
Yes.
Adam Levin:
Is this type of attack unavoidable?
Beau Friedlander:
No. I mean that was the whole thing that was so amazing about Jeff was he is the first person I’ve heard talk for any extended period of time on the topic of cybersecurity and privacy who made me feel like there might be hope.
Adam Levin:
We don’t have to move to the country like you and hang out with bears and tractors.
Beau Friedlander:
I just fixed my tractor which I ran over a rock and it got… Anyway, you don’t want to hear. We don’t. No, we don’t. I think we can just… The thing that I was allergic to, the password free situation, it sounds really promising.
Travis Taylor:
It does especially when you consider the parties involved there. That’s Apple, Google-
Beau Friedlander:
There’s going to be parties.
Travis Taylor:
Microsoft. Yeah.
Adam Levin:
Well, yeah. There would be-
Beau Friedlander:
Like a rave or like a-
Adam Levin:
There’ll be a celebration of privacy.
Beau Friedlander:
Oh. That kind of party. Yeah because I mean it is interesting that those are the biggest players.
Adam Levin:
We know that Apple, Microsoft, and Google are… That’s the list so far, at least the headliners. Is there anyone else, big time, that should be on that list that, at least as far as we know, isn’t on the list?
Beau Friedlander:
All right. A hundred percent. I have one. You only get one each… Or Travis, you can go, who’s yours?
Travis Taylor:
I’d say any major internet provider in China.
Beau Friedlander:
That’s rather specific.
Travis Taylor:
Well, that is right now. I mean they have a huge population. That’s a really big market. But when we talk about Apple, Google, Microsoft, those are US based companies and the internet is a global phenomenon. It’s a global environment.
Beau Friedlander:
This has been an episode of me understanding, in a very humble way, that I’m dumb.
Adam Levin:
Finally.
Beau Friedlander:
Well, it had to happen, because mine was very different from that. I think that on that list should be Zuckerberg, Elon Musk when he takes possession of Twitter, and all of the other major portals that are, let’s face it, social media is the way people quote unquote, go online. A lot of people.
Adam Levin:
And I certainly think that any organization that is dealing with children and children’s information absolutely needs to do that as well.
Beau Friedlander:
And it’s not just… TikTok obviously was in my grouping of social media, but I mean… But the internet touches everyone’s lives and it’s sort of indiscriminate. I think that’s kind of the point is it would be nice if we could fine tune the way that individuals experience it.
Adam Levin:
Well, and think about the fact that for many people in the world, Facebook is the internet for them. There is nothing else.
Travis Taylor:
Well, I think one thing that we often overlook too, though, is that Facebook for, or Meta in general, and Google and apple and Microsoft all have such a huge reach that if they can actually commit to doing one change, then that will actually have a global impact.
Beau Friedlander:
I think Jeff should be in charge of the whole thing.
Adam Levin:
I’m with you on that.
Beau Friedlander:
Make it so.
Adam Levin:
Make it so, number one.
Beau Friedlander:
Well, I’m bowled over. I think that this episode was the… I have to say, we did it. We did the favorites in the beginning, which I thought was a little tedious, but, no offense everyone else who’s been on this show, this is at this very moment, Sally Field’s style, who really, really… I really, really liked this episode. Right now. I really like this episode. I learned so much.
Adam Levin:
Are we saying-
Travis Taylor:
Do you hear that, Dan Ahdoot? Do you hear that with your anchovies?
Beau Friedlander:
Oh, that was cold, man. I meant right now.
Adam Levin:
You’re fishing for something there, my friend.
Beau Friedlander:
Wow. Travis, you’re bad.
Travis Taylor:
We’ve emailed back and forth a few times. We’ve come to an agreement on a NATO, so, we’re good.
Beau Friedlander:
Okay, good.
Adam Levin:
I feel so much better about that now. I can go to sleep at nights.
Beau Friedlander:
I’m not switching. I’m not going to change horses on this one, but I do really love that Dan Ahdoot episode as well.
Adam Levin:
But we also need to hear from our listeners. In addition, when you do your ratings and you write the reviews, tell us whether or not you think the favorites list is tedious. I’m hurt. I’m wounded.
Beau Friedlander:
No, because if they think it’s tedious, you’re going to be even more hurt because they’re going to be like four stars. Four stars because the list that the best of thing was tedious.
Adam Levin:
Okay. I tell you what then our listeners, when they’re rating us in between the stars can tell us what their favorite episode is of this show.
Beau Friedlander:
Fair enough. I think that… Yep. I’m down with that. I think that’ll stop them from giving you four stars and making you very sad.
Adam Levin:
I don’t want to be sad.
Adam Levin:
(Singing).
Beau Friedlander:
What the Hack with Adam Levin is a production of Loud Tree Media.
Adam Levin:
It’s produced by Andrew Steven, the man with two first names.
Travis Taylor:
You can find us online at loudtreemedia.com and on Instagram, Twitter and Facebook @AdamKLevin.
Speaker 5:
Loud Tree.