Let’s talk about digital identity with Linus Kvarnhammar, Cyber Security Consultant at Syneptic.
Following his Swedish TV series, Hackad, professional hacker Linus discusses the biggest risks that insufficient identity management can create for individuals and organisations. Oscar and Linus explore the pitfalls of authentication, authorization (including MFA), and more – and how these lead to security incidents.
“We have a standard way of identifying a person in real life – passport, driver’s license, national identity card. But as far as I’m aware, we don’t have one that is universally accepted both by the individual and companies”
Linus is an independent cyber security consultant and professional hacker. He is also one of the hackers in the TV series “Hackad” on SVT. He has more than 20 years of experience working in the IT industry where the last 10 years have been spent exclusively doing penetration tests of applications and networks with a few social engineering assignments every now and then.
Find Linus on Twitter @lkvarnhammar and on LinkedIn.
Watch Hackad at www.svtplay.se/hackad. You can also find the English subtitles at hackad-english.blogspot.com/2021/11/hackad-tv-2021-english-subtitles.html.
We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello and thanks for joining. And today, we’ll hear insights from the world of hackers. Of course, ethical hacking is what we’re talking about. And we have a very special guest with Linus Kvarnhammar. Linus is an independent cybersecurity consultant and professional hacker. He’s also one of the hackers in the TV series Hackad on the Swedish TV SVT. He has more than 20 years of experience working in the IT industry, where the last 10 years have been spent exclusively doing penetration tests of applications and networks with a few social engineering assignments every now and then.
Linus Kvarnhammar: Hello.
Oscar: Very welcome. It’s nice being with you, Linus. And well, good to hear more about the interesting work you are doing there. So…
Linus: Oh, thank you.
Oscar: Please tell us a bit more about yourself and how was your journey to this world of cybersecurity and hackers.
Linus: Yeah. I- the last 10 years or so, I’ve been doing penetration testing as a security consultant. And yeah, my interest in computers started when I got my Commodore 64, I think it was 1987. And then I had an Amiga. And then I started working with computers directly after school and I’ve been doing that since. I also spent some time, some years doing development work, being a .NET programmer. So a quick bit about my background.
Oscar: You also worked as a developer at some point?
Linus: Yeah, yeah. I think my background as a developer, and an IT pro back in the early days, was a good way of getting into security. Because I think, for me, cybersecurity is about knowing how a computer system works and trying to break it, right. So if you know how the application is built, and if you know how operating systems and networks work, then I think you have a good chance of being good at cybersecurity, I think.
Oscar: Yeah. And I can imagine if you have had, since a child you had a computer at home, not many of the ones who are listening to this had that. And yeah, I’m sure you understand. You have time to understand quite well how the computer works exactly as you said and also in your perspective as a developer. So when you were, for instance, a developer, during time you were a developer, you had also this interest in trying to find the vulnerabilities or something that doesn’t work well, you had already this curiosity?
Linus: No, I don’t… Nah, not really, actually. I think I was mostly focused on – focusing on like writing good code for new and upcoming cool technologies. So I didn’t really… I wasn’t really that interested in security when I was a developer, actually. So it was first when I actually got a job at a security company doing development work. So there, as one of the few developers or maybe the only one, I saw what the security consultants were doing. I thought it was really cool that they could like break into systems and networks. It’s like being a thief, but being authorised to make burglaries, but in the cyber domain, I think it was really cool. And so I transitioned to that.
Oscar: OK, OK, that’s… yeah, that’s how you found this path. Fantastic. You have just said you have been working at least the last 10 years in penetration testing and these kind of activities. And you recently, you will tell us more, recently you have started to appear in a TV series called Hackad in the Swedish TV, please tell us a bit about that, especially how, yeah, how you were chosen, or, yeah.
Linus: Yeah, the TV series firstly is six episodes, and it’s broadcast on the Swedish Public Service television. And it can actually be viewed all over the world. But it’s in Swedish obviously. It’s six episodes with various themes, like private people, celebrities, companies, the smart home, etc. In each episode, we’re hacking different things, and showing what we’re doing and a lot of social engineering as well.
And I was approached by SVT, like maybe a year ago or a year before we started recording. And it was – we started, we recorded a pilot in December last year. And then we recorded the TV series in February, March. And a year approximately before that, I was approached by a person who was like working on developing the programme idea, and he got my name from another security consultant. And I, in turn, gave a few other names of security consultants that I knew were good at their jobs.
And in the beginning, the idea was that they were going to make a TV series about integrity and privacy and big data. So like Facebook, Google, what do they know about us, kind of thing. But me and a lot of other security consultants, I think told them that we can hack stuff. That’s what we do. And that’s pretty cool as well. I think they turned their attention or the focus of the TV series more, or not more, completely towards hacking things, both hacking private people and hacking companies.
In the pilot in December, we didn’t get any preparation, we were three people. And we showed up at a hotel and they said, “Hack this hotel.” And we went at it. We opened doors to try to find network connections, we attacked the WiFi, we did everything we could, but then eventually, we realised that this hotel is just one computer in the lobby, and the rest of the building is like a shared office space. So we failed miserably. But actually, for some reason, the pilot was, it turned out well anyway. And the managers at SVT they decided they wanted it so they ordered it and the production started two months later.
Oscar: Sounds super cool. And definitely, I watched some of the – some of the episode even though I don’t understand Swedish, but yes, it looked great, very interesting.
Linus: Yeah, actually, Jinny, one of the hackers in the TV series, she did an awesome job at actually translating all the episodes. So you can find English subtitles for the episodes out there.
Oscar: Oh, it’s already…
Oscar: Wow. I have to come back and watch then.
Linus: I can provide you with the link where you can actually watch the streaming – but streaming from SVT and then adding English subtitles on top of it, it’s possible.
Oscar: OK, perfect. We’re going to share that information so everybody can watch them. Fantastic. All right, excellent. And, as you say, at least in this series, it’s super visual when someone says OK, you can hack a person, it’s a celebrity, big profile company, can have machines, particularly machines, and yeah, it’s super wide how you can be hacked. Let’s bring the attention a bit on identity, which is the main thing we talked about in this podcast. We know that identity is, of course, quite connected to security. What do you think are the biggest problems related to identity that you find or you have been finding through your work as a security consultant?
Linus: Yeah, there are obviously a lot of technical issues that can be connected to identity authentication more. But on a higher-level identity I’m thinking, a thing I have been talking with clients about recently is this issue of government issued identification – because when you log into a generic application, you can usually say, you can provide whatever identity. You can make up your name, you can make up your– you can register any Gmail or any email address. But what about these applications where you need to prove your real identity, like public service applications?
I think that’s something I don’t think we’ve solved in our business like, is it… what/ how do we identify to as like me with my social security number to an application? In Sweden, we have something called mobile BankID. In other countries, they have similar but is that something we can require or expect every user to have? I think that’s a problem. I’m not sure it’s the biggest problem we have but it is a problem. Because some people might say that, “Well, my mobile BankID that’s my private ID and I don’t want to share that with my employer, for instance.
That’s probably something that needs to be solved. Like, we have a standard way of identifying a person in real life – passport, driver’s license, national identity card. But as far as I’m aware, we don’t have one that is universally accepted both by the individual and companies. Do you have any take on that?
Oscar: Yeah, it’s true. As you said, in Sweden there is a solution, I think it works pretty well. In a few other countries there’s something similar. But yeah, in the vast majority of countries, there’s no – first of all, there’s no global, as you say, there’s not something universal. And such solutions as the Swedish BankID is not present in most countries.
Linus: Exactly. And I was talking to a customer yesterday about like drivers in a company and the drivers, like kind of taxi drivers, they need to prove their identity when they start the car, or start like a device inside the car. And the best way of proving their identity would be mobile BankID. But then the question comes up, like can we really require that everyone has a mobile BankID, which is a personal identification? I’m not sure. And I guess that’s more of a legal aspect, I guess, than cybersecurity. But it is interesting nonetheless.
Oscar: Yeah, it is a good question definitely. Do some places, like as you give this concrete example of a driver authenticating so to say, to a car? Yes. What is a reasonable way?
Linus: Yeah, exactly. Because if you don’t use that kind of identification, let’s say you use a regular login, register and login like you do online, then you would have drivers running around with nicknames as authentication. Or, if it’s username and password, yeah, what makes it not the case that you share your username and password with another driver. So, as far as the public authority is concerned, one guy is driving, but actually it was another guy. So he may be his subcontractor that’s driving – his contract to another guy, and he just shared his login.
Oscar: Oh, yeah, actually that’s a very good observation, because in some of those cases, like driving a taxi or a bus, yeah, there should be more security into how the personnel identifies himself there.
Linus: Yeah, exactly. Imagine if the real bus driver was sitting at home watching TV, and then his brother, who wasn’t a bus driver, he was logging into the bus and driving it around. That wouldn’t be very good from a public safety standpoint.
And I guess these challenges are coming more and more as we have digitalising society more and more. Because if now, this is a fictitious example, but when you get your bus in the old way, or probably the current way, then you go somewhere, and you maybe show your ID at the gate, and you get your key, and then you sit down in the bus. But let’s say you digitalise all that, then you need government-issued or government approved digital identification to prove your identity. And then we have BankID, but can we expect everyone to use that? Or is that perhaps not legal? I’m not sure. I think it’s an interesting question. That would be more important as we go further into the digitalisation of the society.
Oscar: Yeah, yeah it is. Yeah. So what else have you found related to identity on those activities? Obviously, I know that in the TV series already, you are hacking some person’s identity for instance, right? So what is typical? What situation is typical to find?
Linus: Yeah, I would… if you have only a password, so if you divide up like, it’s interesting to think of passwords as something you know, like a phone, something you have, and then your eye or your fingerprint as something you are. Let’s say you only have one factor, the password. Then we have a long list of different issues that can occur. And one of the most common ones that we abuse in the TV series is that users typically share passwords or use the same password on many sites. And then it’s enough that one of those sites is hacked and the database leaks. So I have terabyte of leaked databases on my computer, which I can search.
So that’s one of the first and most easy ways to do if you want to get into someone’s account, you search for their email address, and see what password they’ve been using previously, in other applications, and you try out those, that’s one.
Another one is that if I give my password to you, or to your application, then you have the password. And then if I share that password with another site, then you, with your application, can know my password and try it on other applications. That’s also I mean, a fundamental issue.
And then you have everything with password resets and password policies, there are loads of technical security issues that you can find. And it’s in applications that we penetration test. I think it’s our job to push the clients or we’d like to push them to increase security. So we often like add requirements as time progresses, up the requirement on password length, for instance.
But then, with multi-factor authentication, it’s interesting as well, because I think a lot of people think that if I have two-factor authentication, I have my SMS codes, for instance, I’m fine. Nothing can happen. Well, I think it’s, you’re way much better off compared to someone who doesn’t have it. But when it comes to the security of the application, then it becomes really important to secure this session. Because if you’re – once you are authenticated, there’s something proving that you continuously can access the application right – and that’s typically a session cookie or JWT token. And if someone can steal that, they have stolen your login without you actually giving up your password and the two-factor authentication code.
A good example of that I did an assessment years back of a medical application for the everyday person in the society. And they were logging on with BankID. So that worked really solid well. But then they had a vulnerability in the web application that disclosed the error log. And then the error log were errors from all the other users. And in the error log was also their session cookie. So if I looked at their log, and waited for another user to trigger some error in the application, their session cookie would be logged, and I could see it. And then I could take that cookie, put it into my browser, and boom! Now I’m logged in as them.
See, I think it’s a good example of how you think a web application that requires mobile BankID is like 100% secure, but it’s actually not if it has these kinds of vulnerabilities. So there are a lot of things to test with regards to session management, like cookies and stuff like that, where it can go wrong.
Oscar: Yeah, that’s on the application side, right, the application that is right after you authenticate.
Linus: Yeah, exactly. Yeah, and I’ve found vulnerabilities around 2FA, two-factor authentication as well, like, let’s say you implement it, and it’s working perfectly. It’s just that when you guess, or when you enter your 2FA code, you can do it unlimited amount of times. And often the 2-factor code is four to six digits and if you can guess that in a high speed, and there will never be anything that prevents you from guessing further, you can potentially guess the right code.
Oscar: So you have you have done that. You have managed to…
Linus: I have done that. Yes. Yes, absolutely. And also backup codes – so sometimes you have two-factor authentication code, but then you have a backup code in case you lose your device and you are supposed to write down the backup code. If the backup code, that basically becomes a password. So it must be strong enough to stand against, I guess. But I’ve seen backup codes that are weak. So if they’re weak enough for you to be able to guess it, and perhaps you can guess indefinitely, and as long as you don’t have an application that detects this – detects and/or blocks, then maybe I can guess for weeks. That’s some examples of technical vulnerabilities that can affect I mean, high security authentication mechanisms. I mean, seemingly high as in two-factor authentication.
Oscar: Yeah. So you were able to hack most of two-factor authentication methods.
Linus: Not most, not most. Some, some only.
Oscar: The weakest ones. Yeah. Yeah.
Oscar: Like, for instance, ah, typical is the SMS OTP?
Oscar: Yeah, that’s one of the weakest, yeah. Just guessing and guessing and you find out the…
Linus: Yeah, exactly. If you’ve not implemented it properly in the backend, I mean, in the application. And obviously, a problem with two-factor authentication via SMS is also that the code is actually displayed on the locked phone, typically.
Let’s say you and me work in the same office and I’ve searched database dumps online and found your password in one of them and I try it out and I get confirmation that the password works, but you have two-factor authentication connected to your phone, then probably I’ll just wait until you leave your phone. And most people don’t leave their phone. But if you leave your phone to go to the toilet or something, I can login and just look at your phone, enter the code into the web application and get in.
Oscar: The phone is locked but it shows them, yeah.
Linus: Exactly. Yeah, it shows at least the first line of the SMS, it will typically show.
Oscar: Yeah, very, very interesting, of course.
Linus: And I guess you probably talked or maybe you talked about SIM swapping attack. Have you done that?
Oscar: Yeah, tell us more if – what you have found out.
Linus: That’s another problem with SMS as a two – second factor is, you’re basically relying on your cell phone provider to not give anyone else your phone number. So you’ve outsourced your security to your mobile phone provider. So if someone and this has been done, it’s been written about online. If someone managed to go to the phone store and convinced them or over the phone, convinced them that they are you, get a new SIM card for your phone number, then for a brief period of time until you notice it, they will have access to your phone number. But during that window, they can log in as you.
Oscar: Yeah, exactly.
Linus: And it could be even the case that if you do issue a password reset, some applications will have a password reset functionality that only requires the user to have the phone available. So in that case, you don’t even need the password. You just have to do a password reset and confirm that you know you have the right number and then you’re in. That makes other types of two-factor solutions like a mobile app much, much better.
Oscar: And how often still this SIM swapping done nowadays?
Linus: I’m not so sure about that. I don’t have any updated data or news on that. It was long time since I heard about it. But it is, I mean, the principle is that you’re relying on your mobile phone provider. So it’s – in that sense, it will always be a viable attack. It will always be dependent upon them keeping your phone number secure.
Oscar: Yeah, it is definitely. And this is where mostly the attack is with the social engineering, correct?
Linus: Yeah, I would say so. But it’s not unreasonable in more sophisticated scenarios that you have an insider. So, if you look at these mobile phone shops, it’s typically young people that work there, they probably don’t have that much pay, so if you go to them, one of them, maybe take the one who’s mostly the least moral and the biggest amount of cash need, and you give them 1,000 Euro, maybe 10,000 Euro, I don’t know, they might be able to issue you on a new SIM card for that number.
And then that’s the cost of getting into that account. So if you have – if you consider you as, I mean, if you value your security high, maybe you are a person with additional requirements for some reason, or security, maybe this should be taken into consideration.
Oscar: Yeah, I can see that’s still a big threat. Yeah, absolutely, I guess.
Linus: I would expect the future to show us more cases of buying insider access and stuff like that, especially ransomware gangs, nowadays, they have so much money. So it’s not unreasonable for them to pay these kinds of amounts, I think for insider access.
Oscar: Yeah. Well, especially like a big target, right? Not unlike like a normal person but yeah, the big target.
Linus: Yeah, exactly. But let’s say you work at a big company, but you’re a regular person. If it’s enough to take over your account to get VPN access into this big company, that can then be ransomwared, then you are actually a pretty normal person. But your access is worth a lot to a ransomware gang.
Oscar: Exactly. So they gave a bigger target than the company that we get. Yeah, exactly.
Linus: It’s like, sometimes, you say you can hear people saying I think it’s valid, like the, one of the best key chains to get hold of is the cleaner in an office because he can access everything. I mean, if you want to pay someone to do something for you, he has access to everything. And he’s walking around the office space when everyone is not there. So it’s him or her as a person. It’s not a high value target but the access they have is high value.
Oscar: Something I remember now when we had a chat with you a few weeks ago before this interview is that, you show us on the on the TV series, I think you hacked one person, I don’t remember what you hacked exactly – either Facebook or some password. And because of that, thanks to the – well the single sign-on, for instance – by accessing one of these services, you were able to access many other services.
Linus: Yep, that’s right. And that’s – I think that’s episode one where we hack a private person’s Facebook account and then we can show him and the viewers that we had access to, I don’t know, 10, 20 applications, because he was using Facebook to authenticate to these applications.
That’s – I mean, that’s the nice thing with single sign-on, as in a Windows, typical Windows network but it’s also the downside. So in a Windows network, if you get hold of the identity of one person, you get access to all the resources this person has access to. So it’s, yeah, both pros and cons with that.
I understand why people use Google and Facebook to authenticate. And you have a lot of, what do you say, pros with that because you don’t have to manage a bunch of different websites or passwords. I mean, and you only need to trust that Google or Facebook is doing the authentication right. So there is a lot of good things with that. But then you should really keep that password and that account closely guarded. Because if you lose that it’s yeah, you have a lot of problems.
Oscar: Yeah, exactly. Yeah, it’s important to be aware of that. So the users see the benefits, the process you said, but also take it – yeah, keep it very secure, especially if it’s a main account, like Google or Facebook could be it’s a gate to other services as well.
In the side of, for instance, this case, we’re talking about authorisation because we are authorising via your access from Google, for instance, to some access to other applications. When you have, for instance, were able to hack some systems, bypass the authentication, have you found that the weaknesses in the authorisation that the systems are not properly configured or even designed to, to define well the authorisation of a user?
Linus: I think that’s one of the most common vulnerabilities we see because it’s complex. It’s typically more complex to get this right than other things. So an application typically has many, many different endpoints to get information, to change information, to add information. And every one of these needs to be configured properly usually in code. Like to access this endpoint, you need to be this role and this role. And it’s easy to miss that, to forget one or more of those, or configure them wrong. Maybe that’s one that should require a more strict role than another one. So I think the complexity there is working against developers. And we often see some mistakes in this area.
Oscar: And the mistakes goes more or both into designing the system and also configuring right, maybe in both, I think.
Linus: I would say it’s mostly implementing it, because when you design it, you can say that, well, the admin page should only be accessed by admins – administrators, for instance. But that requires that every admin action then is implemented such that it will deny a regular user access. So it’s up to the programmers often to do the right work to get this right.
And then it’s good to understand that, at least from my perspective, two main different types of access control mechanisms. It’s on a functional level, like role-based, you should have access to this area and not this. So let’s say you’re a regular user, you should not be able to access the admin page, or admin functionality. And then there’s an object-based, so I should be able to read my messages, not yours. And the latter one is typically the most difficult to get right because it might be that it’s built further down in deeper layers of the application where you need to actually check that the object that you’re trying to read and return is actually belonging to this user. That’s a typical vulnerability we find.
It’s actually something often pretty easy to test for regular people. If you’re browsing the web, and you– or you’re logged in somewhere and you’re maybe reading messages, downloading files, and you see the URL that has a number there, try changing the number to something else. And if you get someone else’s message, then maybe you committed a crime, I’m not sure. But at least you can report it to the company.
I did that for – you can say I can anonymise it a little bit, but privately I got, like I said, I got a certain kind of license, so I interacted with one government page. So I logged in, and I accessed like my test results on this license. And then I could see easily in the URL that there was a number there. So I just changed that number to another number, and I got someone else’s test results. And then I put that into a script. And I downloaded probably like 10,000 test results. And obviously I contacted them, found out who was responsible and told them about this, and they fixed it immediately. And they were really thankful. But it turned out that this database contains test results from I think back to the ‘90s.
Oscar: Did your service to the…
Linus: Yeah, exactly.
Oscar: …to the community. Fantastic. Yeah, it’s excellent that the power of people like you that have this amazing technical expertise and can help not only specific companies, but also to everybody like to the whole country, the whole community. Fantastic.
Super interesting hearing your stories and everything we have in here. And please, final question we’d like to ask you is for all business leaders, decision makers who are listening to this, what is the one actionable idea that they should write on their agendas today?
Linus: Business leaders should be aware of the risks that they are having. So if they are not talking to the IT department, IT manager or CISO, if they are not talking to them, asking them like what risks do we have? Are we doing – are we assessing security? Then they should do that, because otherwise, the risk is that security is something that is handled below like far down in the organisation. And then this need for budget and time and everything that is needed to invest in security is not getting addressed at the top.
So if the leaders asked their subordinates, “Tell me about the risks we are having.” and they – then they need to get these reports. And that’s I think, how you – how it should start, not start but if you know what I mean. I think typically or in many organisations, security is not addressed at the top. So it should be considered an investment in your company, in your solutions, not just a cost.
Oscar: Exactly. Yeah, I could not agree more with that. Thanks a lot Linus for this very interesting conversation. It’s been a pleasure. Let me know if people would like to see your work or get in touch with you, what are the best ways?
Linus: I think LinkedIn is the best. That’s where I’m pretty active. I answer messages and yeah, I publish some stuff there every now and then.
Oscar: Great. And of course, do watch the TV series Hackad on the Swedish TV, which I’m going to put the link on this episode. Again, thank you, Linus, what a pleasure talking with you and all the best.
Linus: Thank you very much.
Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
[End of transcript]