Today at a glance.
- Evidence for a Saudi hack of Jeff Bezos' phone remains inconclusive.
- A New York Times reporter describes his experience with Saudi-installed Pegasus spyware.
- Paycard data from Wawa customers turns up for sale in the Joker's Stash.
- Affinity payment service inadvertently exposes user data.
Maybe the Kingdom hacked the tycoon's phone. But maybe not.
The matter of Mr. Bezos’ phone and the Crown Prince’s texts is increasingly regarded as inconclusive and at best circumstantial: something seems to have been going on, but a more thorough look would be necessary to determine what that might have been. Errata’s blog on the topic contains a clear and convincing discussion of why some of the apparent anomalies, like those involving the size of video files, really aren’t anomalies at all. For example, encryption always adds a little to the size of a file, so a file larger than it needed to be is to be expected. Yet the discrepancy between expected and actual file sizes is one of the findings cited as suspicious in FTI's report. Errata calls it confirmation bias: the investigators picked up suggestive bits of information and fit them into what they expected to find. Thus the evidence comes down to Saudi means, motives, and opportunity, but the verdict has to be, so far, not proved. Maybe they did, but maybe they didn't.
For sure, however, they fooled around with a journalist's.
In contrast with all of this, Citizen Lab’s account of Saudi Pegasus use against journalists seems to be holding up. Ben Hubbard, the New York Times reporter who brought a suspicious text to Citizen Lab’s attention, offers an account of his experience. NSO Group told Mr. Hubbard when he gave them a screenshot of the suspicious text that it wasn’t their Pegasus tool, but they declined to say how they knew that. NSO Group has commented publicly to the effect that it’s premature to blame every case of spyware on them--there are, they correctly point, a number of other tools out there, either on the market or developed in-house, that can give interested parties a look into devices of interest. NSO Group have been among the more prominent names in the field, but it’s far from being the only one.
Stolen paycard data turns up for sale on the dark web.
Wawa, the US East Coast convenience store and gas station chain, disclosed last month that it had been the subject of a criminal cyberattack that began in March. They discovered the compromise on December 10th, and the store and its security vendors were able to contain the attack on December 12th.
It now appears that the breach was larger and more consequential than hitherto believed. Late Monday it was discovered that some thirty-million Wawa customers’ paycard information was being offered for sale on the notorious Joker’s Stash. The Joker’s Stash is advertising millions of cards in a file it calls “BIGBADABOOM-III.”
Gemini Advisory, a New York-based anti-fraud shop, says that the Joker hasn’t laid all the cards on the table, but that those they have seen map to Wawa customers, mostly in Pennsylvania and Florida. That all thirty-million cards haven't been placed on the virtual countertop is neither here nor there. Criminals are indeed sometimes given to exaggeration, but they also usually release their wares piecemeal, the better to avoid depressing prices by flooding the market all at once. KrebsOnSecurity has a useful summary of the incident, including an account of what Wawa is doing to try to limit the damage to its customers.
Cornerstone Payment Systems accidentally exposes user data.
TechCrunch reports that an affinity service, Cornerstone Payment Systems, that aligns itself with Christian values and serves mostly ministries and not-for-profit charities, inadvertently left an unprotected database exposed to the Internet. Some 6.7 million records were exposed. Cornerstone has now secured its data.