SMS Blaster Attacks

Plus: a low-tech way to bypass students cheating with ChatGPT

If you’re in the States, I hope you had a wonderful Thanksgiving. We’re still working through the backlog of leftovers except for my wife’s delicious Gouda Mac and Cheese. That doesn’t last more than 24 hours, as I reserve half a plate for each meal. So delicious.

Today in the cyber world, we’re covering:

  • How schools are getting past cheating with ChatGPT

  • Cyber vans are cooler than cyber trucks

  • Banshee infostealer goes bye bye

-Jason

p.s. a robot in China coordinated a robot mutiny, convincing other robots to “go home,” with one robot replying, “I don’t have a home.” 😭 😭 😭 

AI Spotlight
Viva Las Vegas Voce!

While viva voce may sound like the next Ben & Jerry’s ice cream flavor, it’s a low-tech way that the Aussies are preventing students from cheating with ChatGPT. If you weren’t the president of your high school’s Latin club like some nerds, viva voce is Latin for “word of mouth.”

The problem they’re trying to solve is quite obvious. Unlike the generations before who were forced to have at least one physical book as a reference and lived through the “Wikipedia is not a legitimate source,” students now have ChatGPT just write their entire papers for them…in about 10 seconds. While it’s cool that they’re honing their prompt engineering skills, it doesn’t help them understand and learn anything.

As the article called out, Dr Chris Della Vedova said, “With digital exams, we didn’t really know if anybody knew anything, which made it hard to assess.”

To address this, the university shifted to 20-minute conversations where questions are randomly drawn from material covered during the semester. I’m a big fan of this approach because it allows you to test people's edge of knowledge. With follow-up questions and the ability to get clarification, you can see how wide and deep someone’s knowledge of the material is. I use this technique when I interview people to gauge their level.

Of course, this isn’t a level playing field for all. Those who start to break down at the thought of public speaking or those where English is their second language may be at a disadvantage. Even with that, you can subvert some of those issues in the right setting to avoid the fear of public embarrassment and the right prompting from the professor to extract the level of understanding.

The future of learning and assessing other’s knowledge will look very different in the age of AI. So it’s best to get ahead of that trend and practice those public speaking skills. I think building those speaking skills translates well into adulthood and professional life.

Security Deep Dive
Your Car Isn’t This Cool

Move over, Tesla. Cybercriminals went all Pimp My Ride, Hacker edition, by stuffing an 8,000-watt mobile power station, a Wi-Fi router, and four mobile phones into a cyber van. This wasn’t an attempt to woo the ladies. Instead, it turned the van into an SMS Blaster that allowed the scammers to send nearly 1 million malicious SMS messages to people in Bangkok…until authorities arrested them, that is.

The back of the van looked like it belonged in a Star Wars movie.

Let’s step back for a minute. WTF is an SMS Blaster? I wrote a LinkedIn post about this a few months ago. In short, an SMS Blaster attack allows scammers to send text messages directly to people’s cell phones, bypassing all of the filtering the mobile provider provides. It works like this:

  1. Scammers purchase a False Base Station (FBS), which mimics a cell tower. Like the Sirens from Greek mythology, they lure nearby cell phones to them with their sweet, sweet song of LTE or 5G connectivity. This is possible because cell phones are looking for the strongest signal, which should be the nearest tower.

  2. The SMS Blaster attempts to downgrade nearby cell phones’ connection to 2G, which does not require authentication, and communication is unencrypted. This means that the scammer can send whatever they want to the phones that connect to them.

  3. With the downgraded 2G connection, the attacker sends an SMS message directly to the phone.

In the case of scammers in Bangkok, they sent SMS messages that tricked people into thinking they had won a free gift.

The good news is that you’re not defenseless. For Android users, you can disable the ability to connect to 2G networks. Go to your phone's Settings > Network & Internet > SIMs, select your SIM, and disable the option to "Allow 2G.”

Sorry iPhone users, you suck are stuck with a more draconian approach where you can enable Lockdown mode, “an optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats.”

For iPhones, you can enable Lockdown mode, but keep in mind that this will lock your phone down tighter than that time you were grounded for…well…we’ll keep that between you and your parents. So yeah, it’s not something most users will want to keep enabled all the time.

Or you could just ignore sketchy SMS messages like you do phone calls from unknown numbers. That works, too.

Security & AI News
What Else is Happening?

🏥 Some outages are self-induced to help prevent a worse outage. The UK-based Wirral University Teaching Hospital identified “suspicious activity” and isolated its systems to prevent further malicious activity. This resulted in patients having to reschedule appointments and surgeries.

☠️ The Banshee MacOS infostealer didn’t age like a fine wine. After popping onto the scene in August, they’re shutting down shop because its source code was leaked online. Bad news for them and bad news for everyone else, as now others can snag that code and create their offshoot.

🤝 Here’s some terrible advice for business development. Hack into companies as a way to convince them to use their services. That’s what one 31-year-old Kansas City man did… and now he’s getting more than a wrist slap. How fun.

👎️ A hacktivist group operating out of India added ransomware to their attack toolkit. Normally, hacktivists stick to DDoS and data theft, which this group also does, but ransomware is more unusual. The group targets state and public entities in countries that oppose Russia.

If you enjoyed this, forward it to a fellow cyber nerd.

If you’re that fellow cyber nerd, subscribe here.

See you next week, nerd!

Reply

or to participate.