Dave Bittner: [00:00:01:00] Thanks to everyone who's shown their support for the CyberWire by being a Patreon supporter. You can check it out at patreon.com/thecyberwire.
Dave Bittner: [00:00:12:19] A breach in several companies' consumer-facing systems is attributed to a third-party chat vendor. Crooks are tampering with chipped debit cards. Ocean Lotus is back, with a MacOS backdoor. A Mirai variant was used against banks earlier this year. Energetic Bear may be exploiting misconfigured switches. Microsoft looks into Office 360 outages. Russia warns Britain against playing with fire. And three cyber startups are DataTribe finalists.
Dave Bittner: [00:00:45:12] It's time to tell you about our sponsor ThreatConnect. With ThreatConnect's implant form analytics and automation, you'll save your team time, while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. If you're headed to RSA this year, stop by ThreatConnect's north expo booth 3225 for a live demo of the ThreatConnect platform and, of course, pick up one of ThreatConnect's famous t-shirts. And if you're not headed to San Francisco, well you can register for a free ThreatConnect account or learn more by visiting threatconnect.com/free. That's threatconnect.com/free to learn more. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:02:01:04] Major funding for the CyberWire podcast is provided by Cylance from the CyberWire Studios at DataTribe. I'm Dave Bittner with your CyberWire summary for Friday, April 6th, 2018.
Dave Bittner: [00:02:13:00] Earlier this week, an issue with the IT supply chain hit pipeline operators. Yesterday there was another third-party breach disclosed that affected a major airline and a major retailer, and several other companies as well. Delta Airlines and Sears both said that "hundreds of thousands" of customers' personal information was exposed through an online chat service they used for customer support. The chat service was provided by Silicon Valley firm 7.ai. That company said in a statement, "7.ai discovered and contained an incident potentially affecting the online customer payment information of a small number of our client companies and affected clients have been notified. The incident began on September 26th and was discovered and contained on October 12th, 2017. We have notified law enforcement and are cooperating fully to ensure the protection of our clients and their customers’ online safety. We are confident that the platform is secure, and we are working diligently with our clients to determine if any of their customer information was accessed."
Dave Bittner: [00:03:17:13] Sears said, in an announcement dated Wednesday, that 7.ai notified them of the breach in "mid-March." Delta was more specific in its statement, saying they were notified last week on March 28th. Both companies said that they'd been taking steps to contain the damage since they were notified. Other companies were also affected, Best Buy among them, and no doubt others will come to light soon.
Dave Bittner: [00:03:42:20] Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, pointed out that the companies named as having suffered loss of customer data in the incident weren't themselves breached. It was a third-party breach that hit them via a vendor. Bilogorskiy said, "Third parties have been the vector of attack in many high-profile breaches and I anticipate this trend will continue. In recent years, 63 percent of breaches were traced to third-party vendors, according to the Soha System's survey on third-party risk management. If a hacker can breach a company and pretend to be a legitimate vendor, they may have full access to a company’s network for months. Plenty of time to monetize their attack."
Dave Bittner: [00:04:23:11] Mounir Hahad, head of Juniper Threat Labs, thinks it possible that there may be a systemic issue here. He said, "It is important to understand that this breach is different from some past breaches, such as Target, where the third-party vendor was a vehicle for an intrusion into the final victim’s own network." Both Bilogorskiy and Hahad agree that businesses need to think in terms of the security of their vendor supply chain. As Hahad noted, "At the end of the day, it’s companies like Delta Air and Sears that end up in the news, not so much the third-party vendor."
Dave Bittner: [00:04:58:17] The US Secret Service has warned banks that chipped corporate debit cards are being tampered with by criminals. They intercept new cards in the mail, tamper with their chip, and then send them on to their ultimate corporate users. It appears the operation works like this. Once the crooks take the card from the mail, they heat it to melt the glue holding the chip, then they replace the new card's chip with an older one they have, and then put the new chip into an older card. The new card with the older chip is then put back into the mail. When the company gets the card they'll activate it. But in the meantime the criminals can make purchases and steal funds using the new chip they retained. How the criminals get to the mail is unclear. It may be a Postal Service inside job, or perhaps the crooks are just keeping an eye on corporate mail boxes.
Dave Bittner: [00:05:47:00] New activity by the OceanLotus threat group is being observed. Security company Trend Micro has detected a new MacOS backdoor being used against an array of human rights groups. OceanLotus is believed to operate on behalf of the government of Vietnam. The infection vector is thought to be a malicious Word document distributed by phishing emails.
Dave Bittner: [00:06:09:01] Security intelligence firm Recorded Future says a Mirai variant has been responsible for attacks on European financial institutions earlier this year.
Dave Bittner: [00:06:18:13] Cisco's Talos security research unit thinks it knows how Energetic Bear has been gaining access to systems associated with the US power grid. Talos believes the Russian threat actor that US-CERT warned about is getting in by taking advantage of misconfigured Cisco switches.
Dave Bittner: [00:06:36:10] Microsoft is working to find what caused the widespread Office 360 outages being experienced across Europe today. The problem appears to be accidental, probably a glitch and not an attack, but investigation is in progress.
Dave Bittner: [00:06:51:09] Facebook CEO Zuckerberg will testify before two US Senate committees next week, the day before he appears in the House. On April 10th he'll answer questions from the Senate Judiciary and Commerce Committees.
Dave Bittner: [00:07:02:19] Russia warns the UK that, if it continues to accuse Russia of things like the Salisbury nerve agent attacks, Russia will take appropriate measures. Britain, Moscow says, is playing with fire. That fire is widely expected, in the West, to take the form of stepped up cyberattacks, at least initially.
Dave Bittner: [00:07:22:23] And, finally, in what for us is local news, since these guys are just on the other side of the floor from us, DataTribe has announced the three finalists in its $2 million cyber funding competition. Out of almost a hundred applicants, the finalists are: CYR3CON, which combines machine learning with the ability to comb some of the most restricted parts of the Internet to deliver timely and active predictions that help its customers become proactive about security. Imogin, a unique sensor platform company that combines hardware, software and smart imaging technology that has the potential to save billions of dollars in the autonomous vehicle, drone, transportation, industrial and commercial satellite industries and Inertial Sense offering miniaturized high-performance GPS inertial navigation, attitude heading reference and inertial measurement sensor systems for the smallest, most accurate and cheapest sensor platforms available in the world today. These three will share a $20 thousand prize. And on the 25th of April DataTribe will announce the winner, who will take home $2 million in seed funding. Good luck to them all.
Dave Bittner: [00:08:34:00] Now I'd like to share some words about our sponsor Akamai. You've heard of the zero trust security model. Well, Akamai is the expert in deploying zero trust architectures to address the evolving security threats you face every day. That's because they're also the cloud experts. Akamai's approach to security was built for the cloud because it was born in the cloud. In the age of zero trust networks, the enterprise network is no longer the perimeter. The entire cloud is the perimeter, with no inside or outside. And the threats can come from anywhere and anyone at anytime. Akamai zero trust's security model accelerates secure digital transformation. Protecting your business and enabling growth. Visit akamai.com/zerotrust to learn more. That's akamai.com/zerotrust. And if you're going to RSA this year, stop by and say hi to me and the CyberWire team at the Akamai booth, north hall booth 3625. We hope to see you there. And we thank Akamai for sponsoring our show.
Dave Bittner: [00:09:43:01] And I'm pleased to be joined once again by Johannes Ullrich. He is from the SANS Technology Institute and he's also the host of the ISC Stormcast podcast. Johannes, welcome back. You had some tips today you wanted to share about API security. What do we need to know here?
Johannes Ullrich: [00:09:58:00] You know, what I really see lately when I'm talking to developers or when I'm teaching our web application security class is that most web applications today are written as APIs, as application program interfaces. So what you do is you write an API and then you write a modern web application that accesses it or maybe a mobile application that accesses that API. Whenever developers, or anybody for that matter, jumps sort of on these new technologies, they sadly tend to forget sort of the basics that have always been true and are still true for these APIs. So, for example, what I'm seeing here a lot is protection against brute forcing, where you have an API, for example, I saw this recently, that allows it to reset a password and then they sort of did the right thing. They used sort of a one time password via SMS messages that the user had to use to acknowledge that they want to reset their password. Well, there was no brute force protection here, so it's not really all that hard to write a little script that tries all these five digit numbers that they were going to send you and essentially brute force the reset for any password.
Johannes Ullrich: [00:11:17:14] So, these are some of the simple things, but it continues with cross site scripting, sequel injection. All of these old basic vulnerabilities, they're coming back now and just sort of wrapped in this new technology.
Dave Bittner: [00:11:31:08] So, in the case you just described, is it a matter of limiting the number of attempts that someone can make over a given period of time?
Johannes Ullrich: [00:11:36:09] Yes. This would be a defense here or just limit the number of attempts period. So, if you reset your password and then I sent you this reset code, well I'll only accept three, four or five different codes before I make you request a new code. So, this would be a simple fix there. This is something that people commonly do and have done for a long time for traditional web applications. But, then again, they sort of forget that these APIs, that are often accessed sort of by these fairly obscure and hard to sort of reverse pieces of client side script, that they're as vulnerable as your good old input form was on a web application.
Dave Bittner: [00:12:21:02] So, why do you suppose this is being overlooked? Is this a matter of people being in a hurry or cutting and pasting or simply negligence or just overlooking it?
Johannes Ullrich: [00:12:31:08] I think it's just overlooking it and a little bit, they sort of assume that these APIs or web services are often used to talk to other web services. They don't really sort of take into account that a user sort of or humans kind of inject themselves and pretend to be a web service or this application that's talking to your API here. The way I always put it is just because you assume that machines talk to machines, well not all machines are good. You just have to watch 'Terminator' and see where it can go with the machines.
Dave Bittner: [00:13:05:08] Alright. That's quite a metaphor Johannes. As always, thanks for joining us.
Dave Bittner: [00:13:13:22] And now a few words about our sponsor Enveil, whose revolutionary zero reveal solution closes the last gap in data security, protecting data in use. Enveil offers the industry's first and only scalable commercial solution, enabling data to remain encrypted throughout the entire processing life cycle. Imagine being able to analyze, search and perform calculations on sensitive data without ever decrypting anything. All without the risks of theft or inadvertent exposure. Enveil is designed to integrate seamlessly with existing applications and workflows, to address many challenges including secure cloud processing, crown jewel data protection, secure data monetization and regulatory compliance such as GDPR. What was once only theoretical is now possible with Enveil. Learn more at enveil.com or be sure to connect with them in person at the RSA early stage expo booth 32 later this month. That's enveil.com. And we thank Enveil for sponsoring our show.
Dave Bittner: [00:14:24:07] My guest today is Jimmy Heschl. He's the head of digital security at Red Bull, the global energy drink company headquartered in Austria. They sell over six billion cans of energy drinks a year around the world, and Jimmy Heschl is responsible for making sure the company and its customer's data are protected.
Jimmy Heschl: [00:14:42:06] So my accountabilities is to make sure that whatever we do at Red Bull on a global scale is done in a secure way. That means all information technology, all data privacy, all these things need to be done in a proper way and in a proper manner.
Dave Bittner: [00:14:59:17] And can you give us an idea of the range of areas that that covers? I mean, obviously you have employees, you have manufacturing, you have consumer facing things.
Jimmy Heschl: [00:15:08:02] Yes. We have several consumer facing areas, websites and communities. We have our core business, which is energy drinks which available in 167 countries around the globe. We've got a user base of around 10,000, 11,000 internal accounts and devices, plus mobile devices, so that doubles the figures, the numbers and it's a total footprint of social media followers and all of that of around 100,000,000 people.
Dave Bittner: [00:15:43:06] And so how do you set your priorities? How do you delegate with your team for how you handle the various security challenges that you face?
Jimmy Heschl: [00:15:52:19] That's three things. One is management of the capabilities, where we defined the usual things you should have in place based on frameworks and standards like COBIT. The second one is what I call the architecture, which is the enablers of COBIT. So which tools, which organizations, which skill sets do we have? And the third driver for the priorities is a set of risks we are facing. Online risks, off line risks. All these things. And the combination of those three things then drive the priorities.
Dave Bittner: [00:16:29:17] And so what currently are the things that are on your radar? What do you see as being the big threats that you have to face?
Jimmy Heschl: [00:16:37:03] The big threats is always the disgruntled employees, disgruntled partners. Vendor lock in and cloud services, for example. That's really driving us and, of course, the ever growing market of online adversaries. So cryptocurrencies and those things that not normally but via trojans and other things come to our endpoints and devices and steal either a computing power or in the worst case ask for a ransom.
Dave Bittner: [00:17:10:18] Have you had to face those sorts of challenges specifically? Have you had to deal with things like ransomware?
Jimmy Heschl: [00:17:16:20] Yes, we've had some occasions of ransomware up to one and a half years ago. The total number of 150 devices that were encrypted. All single instances, so no plot encryption. Every single infection is one too much.
Dave Bittner: [00:17:34:12] Now, when you're communicating the challenges that you face to your board, to the people who have hired you, how do you handle that translation of the technical side of things to managing risk?
Jimmy Heschl: [00:17:47:05] That's a complicated thing and I'm not very successful in that because I try to translate it in business terms, but a company like us is not very much driven by the clear facts and figures as a bank would be, and the KPIs and the KRIs like in Basel IIor other things, it's more the likelihood of an impact to our whole business and to the way we conduct our business and it's more about telling stories and telling things what could go wrong, what went wrong at other companies and how we need to make sure that we protect ourselves in an appropriate way.
Dave Bittner: [00:18:30:14] How are you going to be affected by GDPR coming on line at the end of May?
Jimmy Heschl: [00:18:36:01] Not that much anymore. So we've been affected a lot, of course, with our digital footprint and also collecting, of course, and having the duty of protecting that information of the footprint. So, many of our consumers trust us and we need to be absolutely aligned that trust with the capabilities we have in place. So, for me, GDPR is not a legal requirement, it's a question of honesty and to be diligent with what you have and all the data you have from your stakeholders and constituents. So, from now on I can sleep really well. With GDPR requirements I think we did our homework. No big issue up until May.
Dave Bittner: [00:19:24:04] How do you deal with the fact that Red Bull, being a global brand, you have to deal with regulations and requirements that vary from country to country and even, you know, state to state?
Jimmy Heschl: [00:19:34:11] Yes, compliance requirement is different from various regions and countries and regulators, but luckily we are not primarily driven by compliance requirements as a bank or an insurance company would be, so we are more driven by curiosity and flexibility and enterprise and business growth.
Dave Bittner: [00:19:54:03] It seems like Red Bull is such a strong brand and you have such strong brand loyalty that, I guess, one of the main risks you face is reputational damage. If you were to have some sort of major cyber related breach, that's where you could be hit the hardest and that's a tough thing to measure.
Jimmy Heschl: [00:20:11:24] Absolutely and whenever you come up with a metric for that, that metric might be a lie or unrealistic, so I'm not trying to sell risks or fear, uncertainty and doubt throughout the company. It's really more about the story and making informed decisions and aware decisions that yes, things can go wrong and it's very likely that things will go wrong sooner or later, but it's our duty to make sure that we are resilient enough that whenever things go wrong we are not harmed.
Dave Bittner: [00:20:46:12] That's Jimmy Heschl from Red Bull.
Dave Bittner: [00:20:51:23] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence visit cylance.com. And thanks to our supporting sponsor VMware, creators of workspace one intelligence. Learn more vmware.com.
Dave Bittner: [00:21:12:20] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.