Risk mitigation scores some wins this week. Amazon finds the typo that took out the Internet. Symantec gets into the VC game. Yahoo! agonistes. Wassenaar's prospects. PRC wants cyber peace. And farewell to Howard Schmidt.
Dave Bittner: [00:00:03:16] Encouraging news about Android apps, Cloudbleed, and Slack's swift bug patching. Amazon finds a typo at the root of Wednesday's internet outages. Symantec opens a venture arm. Yahoo! Breach postmortems continue. Decryption tools for Dharma ransomware are out. Prospects look dim, again, for Wassenaar. China calls for the demilitarization of cyberspace. And my discussion with Melanie Gluck from Mastercard on the behind-the-scenes security systems that protect credit cards and the security sector bids farewell to Howard Schmidt—leader, advisor, and mentor.
Dave Bittner: [00:00:44:18] Time for a moment from our sponsor, Netsparker. You know how to tell a false positive from a real threat? Netsparker does. If it's exploitable, it's real. Netsparker's distinctive automated scans drive out the false positives, save you money and improve security. Their approach is proof-based scanning. Netsparker's innovative scanning engine automatically exploits the vulnerabilities it identifies in websites and presents you with a proof of exploit. You don't need to verify the scanner findings to see if they include false positives. If Netsparker tells you it's bad, trust them, it's bad! Remember, if it's exploitable then it is definitely not a false positive. Learn more at netsparker.com but, wait, there's more, and we really do mean more. Go to netsparker.com/cyberwire for a free 30-day trial of Netsparker desktop. It's fully functional. Scan your websites with Netsparker and let them show you how they do it. That's netsparker.com/cyberwire. And we thank Netsparker for sponsoring our show.
Dave Bittner: [00:01:53:19] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Friday, March 3rd, 2017.
Dave Bittner: [00:02:04:17] There's some welcome good news about vulnerabilities and risk mitigation today.
Dave Bittner: [00:02:08:19] First, Google has removed one-hundred-thirty-two Android apps from the Play Store. The bad apps contained hidden iFrames that linked to malicious domains, and, while it's good they've now been purged, it seems those apps weren't in much position to do damage anyway: Poland's CERT had sinkholed the malicious domains back in 2013. So bravo Google, but bravissimo CERT-Polska.
Dave Bittner: [00:02:32:21] The Cloudbleed bullet also seems to have been dodged, despite the initial angst with which news of the bug was received. Cloudflare says, after investigation, that the vulnerability was triggered 1.2 million times, but that they found no evidence of malicious exploitation. Cloudbleed had the potential to do a great deal of damage, so this is welcome news. Cloudflare is taking steps to check its code: the company has engaged Veracode to perform a third-party audit of Cloudflare's software.
Dave Bittner: [00:03:01:22] Cloudflare's investigation was conducted over twelve days and concluded that there's no evidence that passwords, paycard information, or other sensitive data were compromised, as had been widely feared. Industry reaction to Cloudflare's report seems mixed but generally positive (and relieved), and so we're content to call this one a dodged bullet.
Dave Bittner: [00:03:22:15] And Slack is getting unmixed, good reviews for their swift patching of a vulnerability—another potentially serious one—that exposed user tokens to compromise. They responded to the report in about half an hour and had a fix out in five hours. A Detectify researcher reported the vulnerability under Slack's bug bounty and has received $3,000 for his work. Slack credits the bug bounty program with helping to keep its business collaboration tool safe and secure. Had Slack not closed the vulnerability so quickly, a great deal of sensitive and casual chat could have been compromised. And in electronic business communication, remember, the casual is always the sensitive. If you don't believe us, ask Sony.
Dave Bittner: [00:04:05:13] Amazon has identified the cause of the S3 server outage that rendered large swathes of the Internet unavailable Wednesday. It turns out to have been a command entry error during debugging. An operator (whom Amazon takes care to identify as "an authorized operator"—this was no hack by either an inside or outside threat) intended to remove some capacity, temporarily, which is a routine practice. Unfortunately, a typo caused the command to remove far too much capacity, as so many users in North America saw to their chagrin. Amazon is working on procedures to prevent a recurrence.
Dave Bittner: [00:04:45:14] In industry news, Symantec has opened a venture arm. It has been given the helpfully obvious name "Symantec Ventures", and is expected to serve as a kind of M&A on-ramp for its parent company.
Dave Bittner: [00:04:58:12] Yahoo!'s exit by sell-off to Verizon is concluding with whimpers as opposed to what could have been pleasing bangs: the Yahoo! Board's investigation of the company's breaches is finding fault and imposing costs on executives. In a gesture of responsibility, CEO Mayer has asked the board that her bonuses be distributed among employees. Those bonuses are thought to be worth about $16 million in cash and equity grants, which, curiously, is about what Yahoo! Believes it's spent so far in legal fees and the cost of investigation.
Dave Bittner: [00:05:31:00] Returning to good news, if you were among those afflicted by the Dharma strain of ransomware, ESET and Kaspersky have verified that decryption tools posted by independent researchers are in fact good. You can find those tools and other helpful material at NoMoreRansom.org.
Dave Bittner: [00:05:48:14] The controversial Wassenaar cyber arms control regime's future looks shaky. Many in the security industry have been concerned that it would criminalize innocent—indeed, essential—vulnerability research and inhibit beneficial trade in legitimate security products. The current US administration is thought to be cool at best toward Wassenaar, but in fairness, its predecessor was also pretty double-minded on the accord itself, having put forward and then revoked implementation plans.
Dave Bittner: [00:06:19:11] China warns of the dangers of cyber conflict. The Chinese Ministry of Foreign Affairs piously notes the interconnection of interests we see in cyberspace and expresses hope that nations will be led by enlightened self-interest to forgo the grand illusions of cyber military supremacy and victory in cyber conflict, concentrating instead on administering this new global commons for the common good.
Dave Bittner: [00:06:43:24] Perhaps the People's Republic will convene an international conference devoted to ways of building confidence and making cyber war unthinkable. Perhaps those new artificial islands in the South China Sea could provide a venue for such negotiation.
Dave Bittner: [00:07:00:20] Finally, we end today on a serious note as we mark the passing of industry leader, Howard Schmidt, who died this week at his home. Schmidt had not only been a CSO at Microsoft and a CISO at eBay, but he also served as an advisor to both President George W. Bush and President Barack Obama. He led industry groups, wrote influential works on cybersecurity, and, perhaps most important of all, served as a thoughtful, loyal mentor to a generation of security professionals. Our condolences to his family and friends as the industry remembers a life well lived.
Dave Bittner: [00:07:39:18] Time for a word from our sponsor, Palo Alto Networks. You know, it's almost impossible to run an organization without the public cloud today and we'd like to tell you about how our sponsor, Palo Alto Networks, can help you utilize any cloud safely and securely. You can find them at go.paloaltonetworks.com/secureclouds. The cloud is no longer just a convenient place somewhere out there to put stuff. It's an integral part of the way modern enterprises work. Palo Alto Networks understands this and they also understand that securing your data and applications that are distributed across the private cloud, the public cloud, software is a service environments and any number of configurations in-between is key. Make sure your data and apps are secure and protected wherever they may be. Palo Alto Networks has the broadest, most comprehensive cyber security for private cloud, public cloud and software-as-a-service environments. They know that secure clouds are happy clouds. So keep yours happy. Get started at go.paloaltonetworks.com/secure clouds. And we thank Palo Alto Networks for sponsoring our show.
Dave Bittner: [00:08:51:03] Joining me once again is Emily Wilson. She's the Director of Analysis for Terbium Labs. Emily, welcome back. Tax season is looming large ahead of us here, sooner than later, and in terms of the dark web that means that certain types of data start showing up.
Emily Wilson: [00:09:06:06] Yes, definitely. I am glad to be back. It is definitely tax season. Some information does become more popular around tax season. People are not really trying to buy W2's the other part of the year. this is now definitely when the marketing is more interesting. In addition to the W2s that go up for sale though, some of the data that is around the rest of the year is also really useful. I know of at least one vendor who is selling EINs, these Employer Identification Numbers. You think about the State's driver's license databases that are up for sale - that kind of information is definitely helpful. However, the things that I find interesting are children's social security numbers up for sale on some of these markets and, when you think about what you are going to that for, I mean, really, you're going to claim dependents. So somebody else may be claiming your kids!
Dave Bittner: [00:10:00:19] What is the relative value of this sort of data compared to something like a credit card number?
Emily Wilson: [00:10:07:16] I think it depends on how much work you are willing to put into it. A credit card number is going to be a little bit easier to process. I think the labor intensiveness of pulling off tax fraud - you need to place your bets pretty carefully.
Dave Bittner: [00:10:23:15] And the IRS has said, over and over and over again, that this is a problem. People stealing W2s is a problem, filing fraudulent claims is a problem but it seems like the IRS waffles back and forth sometimes about how secure the system is or not.
Emily Wilson: [00:10:43:21] Yes. I think the IRS is facing its own issues, having its own system secure to say nothing of what they're going to do when people are using stolen or fraudulent data on their returns. Last year was not a very good year for the IRS in terms of keeping their own system safe.
Dave Bittner: [00:10:58:15] Has this kind of fraud reached the point where it's the type of thing that you can buy as a service yet or is it still you're pretty much on your own, rolling your own when it comes to this kind of fraud?
Emily Wilson: [00:11:09:22] That is a good question. I personally haven't seen any vendors offering up fraudulent tax returns as part of a dark web service but I don't know, ask your accountant if they accept bitcoin.
Dave Bittner: [00:11:22:17] All right. Emily Wilson, thanks for joining us.
Dave Bittner: [00:11:31:09] And now for something you'll really like. Some research from our sponsor, Cylance on Snake Wine, a modest little vintage but you'll be amused by its pretension and grossed out by the viper curled up in the bottle. But, seriously, in this case Snake Wine is an APT campaign Cylance has found prospecting Japanese victims. Attribution is as interesting as it is unclear. It looks like APT-28 in some ways but not others. Whether it's the Russians, the PLA or someone else entirely, Snake Wine is served by phishing and seems likely to be used in disinformation efforts. You don't need to know who done it to get protected. Visit the threat spotlight piece on Snake Wine at cylance.com/blog and lay off the venom, denatured or not. Once again, check out cylance.com/blog and we thank Cylance for sponsoring our show.
Dave Bittner: [00:12:31:21] My guest today is Melanie Gluck. She's a Vice President at Mastercard, responsible for EMV and contactless technology in North America. We began our conversation with the credit card industry's move to chip and pin cards, or EMVs.
Melanie Gluck: [00:12:47:15] The goal behind driving chip into the market, or EMV is another name for chip cards, is to actually do basically an upgrade of the payment system and start to deliver dynamic, different information with every transaction. So, the magnetic stripe that we're all so used to swiping, when that is issued, it's issued and it's static and it doesn't change so it's like the old record albums - whether it's a six or twelve inch or whatever - those things got programmed and you bought one and it was the same song over and over and never changed. The mag striped card was very much the same way, the same information is on that stripe.
Melanie Gluck: [00:13:33:17] There is a real opportunity to combat counterfeit fraud by making each transaction unique and mag stripe cards can't do that. A chip card, however, has a piece of hardware on it, which is actually a microprocessing chip. When you layer that with payment software, you then have the ability to actually make each transaction unique by delivering, in layman's terms, dynamic data or, more accurately, a digital certificate or cryptogram with every transaction. There are about 2.7 million locations that are chip active today, which represents about 40% of merchants, and that number will continue to grow nicely throughout 2017 and beyond.
Dave Bittner: [00:14:25:23] Can you take us behind the scenes of some of the things that go on to protect our credit cards? For example, occasionally you'll get a call from your credit card company that says, "Hey, we just got an alert that you were trying to buy something in Yugoslavia and we don't actually think you're there."
Melanie Gluck: [00:14:45:14] It is a great question. What you are asking really talks about the multiple layers of approaches and tools that can be used to combat fraud and do risk management in the financial industry. Therefore, the card and this chip is definitely an important piece of fraud protection but there are very sophisticated algorithms and monitoring that banks and, indeed, merchants and acquirers do throughout the ecosystem to pay a lot of attention to what trends they see, sometimes it's about you and your spending patterns, sometimes it's about other broader trends - are we seeing a lot of small transactions or are we seeing a lot of green transactions, etc - that they stay very attune to and pay a lot of attention in billed history so they can do modeling and get very nuanced in terms of recognizing when there are possibly troublesome transactions happening.
Melanie Gluck: [00:15:46:20] When we started talking about those chip cards, I described them as a piece of hardware with some payment software sitting on top of them. The software and the hardware interact together allowing the generation of the data for the payment transaction as well as this digital certificate, this dynamic information.
Melanie Gluck: [00:16:05:17] One of the really important ideas in that is that if you have software sitting on a piece of hardware, it happens to be on a chip card today but you can start to really envision how, well, a piece of hardware doesn't necessarily need to be on that chip card, perhaps it can be on something else. So when Mastercard looked at rolling EMV out or chip cards out into the US was very important to us to think about not just the plastic card but the digital environment. What's going to happen with your smartphone? What's going to happen with your computer or your tablet or your fitness band or, potentially, jewelry. There are many other ways of doing payments that involve other kinds of "devices". People didn't used to think of rings as possibly payment technology, but we've actually been able to leverage that software in a chip and put it into other things that started most prevalently with smartphones. As you look at the variety of mobile wallets that are available from MasterPass, that is Mastercard's mobile wallet to Apple Pay, Samsung Pay, Android Pay, Microsoft Wallet and others, onto moving away from the smartphone but to a fitness band or a piece of jewelry that allows you to tap your finger as you go through a turnstile for instance and not pull out either a card or a mobile phone but, again, you come back to needing that software and that chip and placing them in something and that's part of the picture.
Melanie Gluck: [00:17:49:06] The other part of the picture is really thinking about what is the payment information that is on that device or on that chip? Can we actually go a step further and protect the card number by using a substitute value or what we call a token? So tokenization is something you'll hear a lot about in the payments ecosystem today because it offers a way to put payment credentials onto a smart phone or that ring, fitness band, etc. have it related to the original card, but not have that card number placed in any more locations. So if I lose my smartphone, I don't have to replace my card, I can get a new smart phone and put a new token onto that smart phone and my card is still in my hand. Alternatively, if by chance I was unfortunate and lost the card, that token on the phone or the ring or the fitness band can stay in my hands and I can still be transacting while I am getting my new card because we can map it on the back end and keep that consumer able to transact and continue about their day to day lives with as little disruption as possible.
Dave Bittner: [00:19:07:02] That's Melanie Gluck from Mastercard.
Dave Bittner: [00:19:14:01] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how they can protect you from cyber attacks, visit cylance.com. Be sure to check us out on Twitter and Facebook and LinkedIn and, if you have the inclination, we would really appreciate it if you would take the time to leave a review on iTunes. It really does help people find the show.
Dave Bittner: [00:19:41:16] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Our Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell. Executive Editor is Peter Kilpe, and I'm Dave Bittner. Have a great weekend, everybody. Thank you for listening.