Don't forget to look up Cylance while you're there. Drop by booth 3911 in the North Hall and meet with their expert professional services staff, or attend one of their featured conference sessions. Or if you're in a festive mood, connect with them at the Digital Shadows Security Leaders' Party. Visit Cylance to learn more.
The Week that Was.
April 7, 2018.
By The CyberWire Staff
Hudson's Bay Company subsidiaries breached.
On March 28, 2018, the JokerStash "hacking syndicate" (also known as "Fin7") began offering more than 5 million payment cards for sale in dark web souks. The cards appear to have been compromised in a breach of retailers Saks and Lord and Taylor dating to May 2017. Both retailers are owned by the Hudson's Bay Company. The breach was publicly disclosed this past Sunday (New York Times).
125 thousand records have been released for sale so far; the rest are expected to appear on the black market within months. Hudson's Bay tersely says it's addressed problems in its network security, continues to investigate, and plans to offer affected customers the usual sorts of post-breach assistance, including "free identity protection services, including credit and web monitoring" (Reuters).
Find out how enterprises can be equipped with a continuous 360° view of which critical assets are at risk, what security issues they should focus on, and how best to harness their resources to resolve them. Simulate, validate and remediate every hacker’s path to organizational critical assets.
Delta Airlines and Sears both said that "hundreds of thousands" of customers' personal information was exposed through an online chat service they used for customer support. The chat service was provided by 7.ai, which also sells to other companies. In a statement, 7.ai said the breach began on September 26, 2017, and was "discovered and contained" on October 12. It notified Sears and Delta in March. Other companies were also affected, Best Buy among them, and no doubt others will come to light in coming weeks (C|NET).
Learn how security can fuel innovation rather than hinder it.
Development velocity is accelerating with DevOps methodology adoption, yet security is still not well-integrated into the coding and deployment processes. It’s viewed as an obstacle. Security teams are falling further behind as their manual processes and controls can’t scale at the same rate as development. This paper discusses how by shifting security left in the development process, it’s no longer an obstacle to velocity, innovation and competitiveness. Instead, it’s an asset.
Third-party risk: pipeline operators hacked.
Four pipeline operators reported that their electronic data interchange (EDI) had been affected by a cyberattack. Energy Transfer Partners LP, Boardwalk Pipeline Partners LP, Chesapeake Utilities' Eastern Shore Natural Gas, and Oneok Inc. were all affected. The EDI, which expedites shipping and billing to customers by machine-to-machine document transfers, is a third-party system provided by Energy Services Group LLC. There's been no attribution; investigation and remediation are continuing. It's worth noting that the attack affects IT systems and not (insofar as is known) OT systems (Energy Voice). Billing delays, if not the malware itself, have propagated across the energy sector (Bloomberg).
The attack, which appears to be the work of criminals and not state espionage services, has reminded many of recent US Government warnings that Russian cyber operators are conducting apparent battlespace preparation of US infrastructure. Phil Neray, VP of Industrial Cybersecurity at Boston-based CyberX, realizes that, while this isn't the grid-killing attack so many people fear, it's a disturbing harbinger of what may come. "The FBI/DHS alert makes it clear that our critical infrastructure is in the cross-hairs of our adversaries. This looks like a financially-motivated cyberattack, likely by cybercriminals, but we've seen in the past that cybercriminals often collaborate with nation-states and share hacking tools with each other. It's easy to imagine a ransomware attack that uses nation-state tools to hijack ICS/SCADA systems and hold the pipeline hostage for millions of dollars per day."
Obtain full visibility into your security team with Cybrary.
It’s easy to track, measure, improve and grow your security team with Cybrary’s business platform. Not only will your team have access to an expansive catalog of IT and Cyber Security learning resources, you can operate more efficiently with full visibility, without compromising company standards. Start your team's free training pilot today!
Bear feels cornered (says Bear).
It's natural that suspicion should turn to Russia during this period of heightened tensions exacerbated by Russia's use of nerve agent against Sergey Skripal (former GRU officer who spied for Britain's MI6) and his daughter Yulia in Salisbury, England. Russian Foreign Minister Lavrov thinks US-Russian relations are worse than they were during the Cold War: the US and UK have lost that sense of decency they once possessed, and are now engaged in full-on disinformation (Times). The Russian line concerning the Salisbury attack is that it was an Anglo-American provocation. Russian accusations of provocation have gained little traction, and have shifted to direct bluster: the UK is "playing with fire" (Reuters).
US President Trump has been in conversations with French President Macron and German Chancellor Merkel concerning a coordinated response to Russian actions in the UK and elsewhere (Kaplan Herald). New US National Security Advisor Bolton is said to favor a hard line against Russian cyber operations in particular, urging that the US undertake cyber reprisals that would be, as Bolton put it, "disproportionate" (Haaretz).
The Russian government is more accustomed to pwning than being pwned, but the Ukrainian Cyber Alliance, a hacktivist group strongly opposed to Russia's slow-motion re-engorgement of their country, has released a third tranche of emails which observers provisionally at least judge to be authentic. The emails detail Russian information operations aimed at destabilizing and delegitimizing Ukraine's government. The emails name Vladislav Surkov, whom the Times of London describes as "a Kremlin spin-master said by some to be Mr. Putin’s Rasputin." The other interesting point is the online astroturfing of kinetic demonstrations and street violence: "sportsmen" skilled in martial arts were recruited as muscle for protests in Ukraine (Times).
We're joining Akamai in their booth in RSA's North Expo Booth #3625. Thanks to Sponsor Akamai. Harnessing the cloud – without losing control.
Panera data breach.
Panera Bread is receiving poor reviews for the security of its online ordering system in the wake of the data breach disclosed this week (Medium). Lost data include customers' names, email and physical addresses, birthdays, and the last four digits of credit card numbers. Millions who ordered food online from panerabread.com are potentially affected, but the company thinks less than ten thousand customers were potentially affected (Reuters). Panera was notified of the problem back in August by researcher Dylan Hoilihan, but were slow to either believe him or take action (HOT for Security).
Atlanta's stubborn ransomware infestation.
The SamSam ransomware attack against Atlanta's municipal systems is proving distinctly difficult to remediate, although the city is in the process of recovery (Insurance Journal). Investigation and remediation continue with an array of partners at Federal and state level, and from the private sector. Other cities of comparable size are rightly spooked by the prospect that they might be next (Scientific American).
Facebook's rough ride continues (Graham Cluley). More bad news hit Wednesday afternoon, when the company announced that most of its 2 billion users have had their personal information scraped by third parties without their permission (Washington Post). The data problems affect a large number of EU citizens, which is attracting attention during the run-up to full GDPR implementation (TechCrunch).
The company is also receiving unwelcome attention in the UK for its failure to do something, or at least something more, about anti-Semitic content. This criticism has grown alongside the ongoing Labour Party scandal involving scurrilous social media activity by party leaders (Guardian). Groups in Myanmar, which Facebook had cited as a success story in its attempt to moderate content to restrict various forms of terrorist incitement and so forth, complained this week that none of this was so, that what Facebook actually did was take (slow, in their view) action on complaints the groups themselves raised (TechCrunch).
Facebook's CEO Mark Zuckerberg did take some shots back at Apple, which last week repeated its view that, when services are free, the user and not the service is the real product. Mr. Zuckerberg's rejoinder was: "I think it's important that we don't all get Stockholm Syndrome and let the companies that work hard to charge you more convince you that they actually care more about you" (CNBC).
On the issue of fake news, he said Facebook hadn't really understood the extent of Russian information operations, but it does now, and will be on the alert. On Tuesday the company kicked a large number of Russian trolls from its platforms purely on the basis of association with St. Petersburg's Internet Research Agency (TechCrunch).
Mark Zuckerberg has organized Facebook to make his own position as CEO essentially bombproof: he can't be fired; he can only resign. A piece in Wired argues that resign is what he should do. It would, the essay says, be best for the company, its users, the world at large, and Zuckerberg himself. The company retains large ambitions about its place in the world, but how those will hold up remains to be seen (News.com).
Mr. Zuckerberg goes to Washington.
The Facebook CEO says he'll testify before the US House Energy and Commerce Committee on April 11th (TechCrunch). Maybe they'll ask him why Facebook appears to be preparing to give North American users a lesser degree of privacy than people elsewhere. The quick answer is because GDPR won't apply in the New World (TechCrunch). They might also ask about how calls for content moderation and demands for privacy protection pull the company in different directions: attempting to screen for objectionable content, Facebook scans what users share via Facebook Messenger (Bloomberg). They might also ask about the videos users deleted, which Facebook apparently retained (Naked Security). Mr. Zuckerberg will also testify before the US Senate Judiciary and Commerce Committees. He'll do so Tuesday, April 10th, the day before he visits the House (TechCrunch).
Tu quoque, bro.
Blockchain guys are arguing, as Ethereum's Vitalik Buterin calls Satoshi-Nakamoto-claimant Craig Wright a "fraud," and Wright says Buterin's just afraid of Wright's Bitcoin Cash, and like, come at me bro'...you can run but you can't hide (we paraphrase). Motherboard likens it to professional wrestling: Buterin's the face and Wright's the heel. Let's see if the two of them can keep from breaking kayfabe.
Crime and punishment.
FSB officer Dmitri Dokuchaev agreed to plead "partially guilty" in a Russian court to charges of sharing information with a foreign intelligence service, presumably an American one. Dokuchaev is in trouble with both sides of this spy-vs.-spy squabble: the FBI also wants him in connection with the Yahoo! breach (McClatchy).
An allegedly fraudulent initial coin offering (ICO) landed the founders of Centra Tech in the US District Court for the Southern District of New York. Arrested March 30, 2018. in Florida, Sohrab Sharma and Robert Farkas were charged Monday with securities and wire fraud by both the US Securities and Exchange Commission and the Justice Department. Centra Tech said it offered a cryptocurrency wallet and a blockchain debit card that would let people convert their cryptocurrencies into government-backed fiat money instantaneously. The Government says no. (New York Law Journal). The ICO exploited both blockchain mania and celebrity endorsements: music producer DJ Khaled and boxer Floyd Mayweather prominently flacked for Centra. Neither was named in the suit, but the SEC has warned celebrities to tread carefully in their endorsements of ICOs (Fortune).
In the US the Georgia state Senate passed a bill that would broadly criminalize unauthorized access to computer systems, which criminalization would apparently extend to security researchers. The state is thought to have been embarrassed by 2017's discovery by an independent researcher of vulnerabilities in Kennesaw State University's election system. The Electronic Frontier Foundation and others have urged the Governor to veto the law as soon as possible (SecurityWeek).
Courts and torts.
Cambridge Analytica will face a class action suit for its role in the Facebook data scandal. The Federal suit was filed in New York (New York Law Journal). Various consumer groups have filed a complaint against Facebook with the US Federal Trade Commission (Wall Street Journal).
Observers have been speculating about what the data scandal might have cost the parties involved had GDPR been in full effect, and had they been found in violation of the European privacy regulation. A senior partner at MacRoberts LLC told SecurityWeek that under current British data protection law fines would be capped at £500,000 ($703,325). Under GDPR penalties could amount to 4% of a company's worldwide turnover. In the case of Facebook that could be as high as $1.6 billion.
Patches and security upgrades.
On Monday Google announced that, effective immediately, developers would no longer be permitted to upload apps with cryptocurrency mining extensions to the Chrome Web Store. Extensions already in the Store will be delisted sometime in June. The ban affects only miners, Google said, not other legitimate blockchain apps (eWeek).
Intel has decided not to patch the Spectre vulnerability on some older chips. It's just too hard. The lines that will go unpatched include 2007's Penryn, Yorkfield, and Wolfdale; 2009's Bloomfield and Clarksfield; 2010's Jasper Forest, and 2015 versions of Intel Atom SoFIA (Digital Trends). Intel is also telling users to uninstall Intel Remote Keyboard. It's insecure, and Intel is killing the app (Threatpost).
On Tuesday Microsoft pushed an out-of-band patch to its Malware Protection Engine. The vulnerability (CVE-2018-0986, discovered by a researcher with Google's Project Zero) could be exploited to execute code in the LocalSystem account's security context, enabling an attacker to assume control of the affected system (Help Net Security).
Amazon has released a number of security enhancements for its AWS platform. They're also addressing a subdomain hijacking issue that arose from misconfigurations: a proof-of-concept experiment showed it possible to abuse CloudFront's CDN routing mechanism to point misconfigured sites to an attacker's own endpoint (Bleeping Computer).
Cloud-based security and compliance shop Qualys announced it had acquired the software assets of Singapore's 1Mobility. The acquisition will enable Qualys to extend PCI certification to mobile devices and enable distribution of applications and security policies over-the-air to business- and employee-owned devices (Markets Insider). Private equity firm Francisco Partners announced Tuesday it has concluded an agreement to buy privileged access firm Bomgar from Thoma Bravo under undisclosed terms. Bomgar had itself recently acquired Lieberman Software (PE Hub).
Critical Start completed its acquisition of next-generation security analytics company Advanced Threat Analytics. Critical Start hopes to use the new capability to deliver customers "a differentiated approach to managed security services" (PRNewswire). In a play to extend its reach into the archiving market, email security provider Zix has acquired Erado, which sells the financial sector archiving, supervision, eDiscovery, and analytics. (BusinessWire). Intel announced its intention to spin-out embedded systems subsidiary Wind River to "financial giant" TPG (Venture Beat). RSA has acquired Israeli behavioral analytics start-up Fortscale. Fortscale's thirty employees are said to be preparing to move to RSA's Israel R&D center (CTECH). The acquisition is expected to contribute to an expansion of RSA's Netwitness SIEM platform (CSO).
General Dynamics closed its no-longer disputed acquisition of CSRA on Tuesday. It's become the largest US Federal IT contractor, and that sector now has two dominant players: General Dynamics and Leidos (Washington Technology).
Embedded device security shop Red Balloon raised $21.9 million in a Series A round this week. Bain Capital Ventures led the round, with other investment from Greycroft, American Family Ventures, and Abstract Ventures. (BusinessWire). ThreatX, providers of a SaaS-based Web application firewall has closed an $8.2 million Series A round led by Grotech Ventures and Access Venture Partners (BusinessWire). Corero is issuing new shares to fund growth: 69.6 million new shares at 5.75p each. Three company directors have subscribed for 17.2 million of the new shares (Proactive Investors)
Hemi-demi-semi unicorn Darktrace is seeing a sharp increase in three things: revenue, hiring, and losses, a common pattern among start-up stars (Telegraph).
Zscaler reportedly turned down several suitors before its IPO (Bloomberg). Among the buyout offers was one from Cisco, which is reported to have offered Zscaler about $2 billion (Silicon Valley Business Journal).
Easter has succeeded Lent...
...and malware infection rates have returned to normal (Enigma Software). Enigma Software predicted such a reversion to the mean, and indeed it began on Monday, the day after Easter. (Memento, homo, quia pulvis es, et in pulverem reverteris. So too your networks. Put those ashes back on.)
Today's issue includes events affecting China, European Union, France, Germany, United Nations, Russia, United Kingdom, United States.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.