Welcome to the second edition of InCyber Regular! We talk about cyber security issues and topics especially impactful to industrial and commercial small to medium businesses. Now that we've got that settled..

In today's edition: Why go in through the back when the front is open? We talk SIM hacking and security for OT with Matt Cameron

What front door?

You've likely already heard about exploited vulnerability at the Oldsmar, FL water treatment plant that nearly poisoned the entire city. You haven't? Read about it. Spoiler alert for the "real story" coming below.

Turns out this was a severe case of shoot-yourself-in-the-footicitis. Again from The Verge:

The reality? The water treatment plant itself left off-the-shelf remote control software on these critical computers — and apparently never, ever bothered to change the password.

So I ask you:

To quote further from The Verge article:

this Florida water treatment plant apparently didn’t bother to issue individual passwords for software that could give anyone complete access to any of their computers and their water treatment system.

Christopher Krebs, Directory of the US Cybersecurity and Information Security Agency said that this was likely an insider job and not a hack at all. Someone merely walked through the front door and hit the self-destruct button.

So what we're really dealing with here is an accidental red team scenario.

And that's ok because, man, did we ever get a potent lesson in public about security hygiene, the necessity of regular access audits, AND, yup you guessed it, the 100% need for a password manager that allows for generation, storage, and distribution of strong, unique passwords.

Please don't make these mistakes. And if you think you're at risk, email us back for help.

Matt Cameron

Here's our interview with Matt Cameron from Rockwell Automation.

Who is Matt Cameron?

In short, I’m a dog dad, bourbon lover, Harley rider, hardcore Jeep enthusiast, cybersecurity buff, and aspiring leader.

Favorite security resources you're using right now?

I have to say that for me it is Professor Messer’s YouTube channel and the podcast Paul’s Security Weekly.

Pizza or tacos?

🌮 TACOS 🌮 

Fun fact: I once set the record for number of tacos ate at a local restaurant on their AYCE taco night. 17 tacos in one sitting.

What security vulnerabilities are you always telling customers to address?

1. MFA. True MFA. In order for MFA to be properly implemented, it must be using two DIFFERENT factors of authentication from the following factors: something you are, something you have, something you know, somewhere you are, or something you do.
2. Air gap the controls network. I know, I know, in practice this doesn’t work as well as in theory (i.e. Stuxnet), but I find too often that it is far too easy to remote into a site.
3. Configure firewall rules! Don’t just disable firewalls because it’s easier to get the software working that way.

Why did you get into security?

I think to thoroughly answer this we are going to have to go way back. My love for computers started at a young age and I would definitely say my dad, being a video game geek and computer nerd himself, played a big role in this... [there's lot's more to this great story but we're skipping ahead a bit - read the full story here!]

This next part of my story that I am going to share with you is what finally prompted me to take my dive into cybersecurity. Fast forward to the end of Summer 2020.

I had spent the summer working on my Jeep, Sunday September 6, 2020 was no exception. My dad and I were out in the driveway wrenching away on my Jeep. He got a PayPal payment from a co-worker of ours for $900. My dad and I agreed that it was clearly a mistake and he decided that he would just reach out to him after we finished up with my Jeep as we were covered in grease. Once finished we were starving. My best friend who lives several hours away happened to be in town. I invited him to come over and said that we would all go get take-out from our favorite Mexican restaurant down the road.

We went, grabbed the food, returned to my dad’s house and were sitting eating at the table when it all began. I got up to grab a drink from the fridge when I received a text message that read: “Ok” from a 216 (our area code here in Cleveland) number that I did not have saved in my phone. Thinking nothing of it, I deleted it and continued. We would later find out that this number belonged to the same person that had sent my dad $900 on PayPal earlier that day. Next, I got a message that read: “<Cellular provider> Security Msg: A request to transfer XXXXXXXXXX from <cellular provider> to a new service provider is in process. If you did not request this change, call XXXXXXXXXX”. I read it out loud and my dad said he had got the same message. We concluded that it had to be another one of those text message scams and ignored it.

People in the Cleveland area had been getting these like crazy during this time, so we didn’t think too much of it. 15 minutes or so went by as we continued to eat dinner. I tapped my phone screen to check my notifications and noticed I didn’t have service. Sometimes this happens for no reason, so I flipped my phone into Airplane Mode and back out of it…….nothing. I said out loud, “huh! I have no service.” My dad said, “Neither do I.” At that exact moment everything clicked in my head. I slammed my fist into the dining room table and used a choice word. My dad looked at me and said “What?!?!”. I told him, “We just got SIM jacked!”

Thanks to my avid security podcast listening, I was all too familiar with this or else we may have sat clueless for some time trying to troubleshoot the problem. I told my dad to check his accounts. The hacker had already begun using his PayPal to transfer funds all over the place. Remember that random $900 he had received earlier? Yeah, that was just a test to see if the PayPal account was valid. I checked my PayPal. The hacker had sent money from my dad to me and was trying to offload it onto a pre-paid Visa. I changed my password, but he was able to reset it. The hacker and I continued to battle for several minutes as I desperately tried to protect my hard-earned money. He appeared to have given up for at least a little bit, so I asked my best friend if I could use his cellphone to call the customer support line for our cellular provider. With it being 9 PM or so the night before Labor Day, support staff was scarce and I had to wait on hold for quite some time. When I was finally able to talk to someone, they confirmed that my number was ported over to a different service provider. They told me it was going to take 72 hours in order for them to try and get it back.

At this point I was triggered. I knew it wasn’t her fault, so as nicely as I could I explained to her that I didn’t have this much time because the hacker was draining money out of my bank account as we were speaking. She continued to tell me she couldn’t do anything and the turn around time would be 72 hours. I realized that I would not get anywhere with this person and thus decided to ask for her supervisor. After some reluctance, I was transferred over to him. I explained to him the magnitude of the situation and he agreed to try his best to run it up the chain, but said that he could not promise anything faster than 72 hours. At this point I decided that I was not going to get any further with them and that I needed to start locking down everything as best I could.

I had a pretty good idea of what I should do, but decided that I should ask the 2 most knowledgeable people I know when it comes cybersecurity, my mentors. I group messaged them and told them I had been SIM jacked. Brad instantly responded despite it being late on a Sunday night and told me to call him.

He told me that I needed to freeze all bank accounts and lock down my emails as best I could. He said that PayPal was likely a distraction so the hacker could go after my email accounts. I went through and froze every bank account and credit card that I had via their apps. Next, I randomized every email password I had and removed my cellphone number from all of them so that the hacker could no longer use it for a method of verification. While I was doing this, the hacker had continued to rampage through my dad’s digital life, so I began helping him narrow his focus. Once we got him to a place where I felt that we could afford 20 minutes away from the internet, we hopped in the car and went into our office so that we had a working phone line and access to an email account that we were somewhat certain was safe. By this point I was pretty locked down, but my dad was far less secure. He continued to work through securing all his accounts until around 3 AM, at which point we went back to his house. At this time I noticed the hacker made another micro transaction on my PayPal because PayPal would not allow me to remove my phone number as the authentication method. Due to it being late at night on a holiday weekend I could not reach any support staff. So, I called in at 3:30 AM and began disputing every single charge through the automated phone system until they locked my account.

At last, I could go to sleep in peace. Although I had sufficiently locked everything down, I couldn’t help but feel incredibly violated. I hated this feeling and went to bed knowing that I wanted to do something more to fight it. When I woke up in the morning I began working with a cyber forensics team to investigate the issue further. We were able to identify that several people had been SIM jacked and they all had received the same “Ok” text from the same number before they lost cellphone service. I was instantly hooked. This just got even more interesting for me. I continued to work with the team throughout the day as I best I could (remember, I didn’t have cell service, so no chatting with anyone on-the-fly). My dad wanted to go to the phone store to see what we could do, so we did. The lady at the store said we would just need to put new SIM cards in our phones and we would be good to go. I tried explaining to her that this would not work because the phone numbers no longer belonged to our cellular provider, but she insisted. I figured there was no harm in letting her try and this would allow her to prove it to herself. She put in a new SIM and my phone had service. I tried calling my dad and it went through. I didn’t get it and I was freaked out because I knew for a fact that this shouldn’t be working. I instantly started messaging my mentor on LinkedIn as I didn’t trust iMessage at this point. I explained to him what was just discovered. We messaged back and forth a couple times until he asked me if I was using the same phone that got SIM jacked to talk to him on LinkedIn. He told me stop, get another phone, and call him immediately. I grabbed my dad’s work phone and gave him a call. Brad said within a few minutes of me messaging him he received a call from a local number and when he answered the other person would not talk, but he could hear them breathing on the other end of the phone. He said that I needed to cut my SIM card in half and wipe my phone without restoring from a backup to ensure that the hacker had no lingering access to it.

I instantly ripped my SIM out, crushed it, and wiped my phone to nothing. As painful as this was, it was worth my peace of mind at this point. While my mentor tried, he was not able to track down the caller. Even though I was unsure whether the call he had gotten was pure coincidence or not, I was still chilled to the bone. Only a day later I had someone on LinkedIn request me from Russia who said he worked for a start-up that was less than 6 months old and their software just happened to be something that could be leveraged by someone who was in my position at my current company. They asked if they could schedule a time to talk to me. To make matters even more strange, my only mutual connection with this person was the person who I (and everyone else) received the “Ok” text from before I was SIM jacked. This was an instant red flag and I immediately reported it to the cyber forensics team I was working with as I thought it could be a solid lead to the hacker who was behind all this. To the best of my knowledge, this was never confirmed.

This is about where this whole situation wraps up. I spent the next couple weeks transitioning to a stronger password manager, coming up with stronger security questions and answers to them, enabling TOTP MFA for everything I could (think Authy or Google Authenticator), and working to regain the financial losses I had suffered.

A few days went by and my mentor gave me an affectionate jab of, “You know, you’d make a pretty good security guy.” I told him that we have visited this conversation in the past, but I just didn’t know where to start. He told me that if I got some networking classes under my belt and earned my CompTIA Security+ certification that he would help me out. “Game on.” I said to myself. About a month later I took two back-to-back networking classes. After completing these and doing pretty well in them, I scheduled my Security+ exam for January 9th (this was at the beginning to middle of November). I wanted to commit myself so that I had a deadline to race. I worked through a little bit of Professor Messer’s study materials each night after work. With a week to spare, I had made it through all of his study materials and began taking the three practice tests that he provided. With each one, my score continued to increase until where on the third practice test I had just barely cleared what I thought would be a passing score (no one really knows how CompTIA grades the exams as they do not disclose this). The morning of I was READY. I had never wanted to pass a test so badly in my life. I spent the morning listening to pump up music as if I was preparing to deadlift 600 lbs, not take an exam. I dove into the test and started plowing through the questions as best I could. At the end of the test I was unsure of how I had just done. As with any big test like this, I felt great about some questions and not-so-great about others.

As I got to the final post-test survey question, I cringed as I hit the ‘Next’ button (I knew my test score would be revealed). It popped up on the screen that I had passed with an 804/900. I couldn’t believe it. I threw myself back in my chair and threw my hands up. Not only did I pass it on my first attempt, but I had gotten a pretty strong test score! And this is really the beginning of my career in cybersecurity.

I am currently seeking opportunities in this field to exercise my new skills and cannot wait to further contribute to the community and help strengthen the field as a whole.