Ticketmaster paycard breach is part of a very large skimmer campaign. Chinese cyberespionage and censorship. Smartphone privacy issues. Data misuse litigation. Affirming the consequent.
Dave Bittner: [00:00:00] Hey, everybody. A quick thank you to all of our Patreon supporters. You can find out how to support our show by visiting patreon.com/thecyberwire. We do appreciate it.
Dave Bittner: [00:00:13] The Ticketmaster breach is the tip of a big software supply-chain iceberg. Chinese intelligence services are closely interested in Cambodia's elections. iOS crashes appear related to code designed to block displays of Taiwan's flag to users in China. Congress wants some answers on smartphone privacy from both Apple and Alphabet. Facebook's wrist is slapped in the U.K. And a Langley Credit Union identity theft case proves not necessarily related to the OPM breach.
Dave Bittner: [00:00:49] Time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. So sign up for the Cyber Daily email, where every day you'll receive the top trending indicators Recorded Future captures crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:02:07] Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:02:11] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 11, 2018. The large Ticketmaster breach disclosed on June 27 was, according to security firm RiskIQ, just a small part of a much larger criminal card-skimming operation. Magecart, a criminal gang that's been active since at least 2015, is thought responsible. The entire caper extends to somewhat more than 800 e-commerce sites worldwide.
Dave Bittner: [00:02:42] Magecart works by installing skimmer software into third-party components and services used by the retail sites. The Magecart operation is a bit different from the standard kind of skimmer you might encounter in a checkout line or at a gas pump. Their skimmers are digital, software insinuated into online commerce sites, normally through the compromise of some third-party vendor. RiskIQ describes the skimmer as simple but obfuscated.
Dave Bittner: [00:03:10] The security firm also thinks the criminals are getting smarter in their approach. Instead of fiddling with individual websites or webpages, they've found they get a better return if they compromise third parties who supply scripts to retailers. The third-party vendors RiskIQ mentions are Inbenta, SociaPlus, PushAssist and Annex Cloud.
Dave Bittner: [00:03:31] The potential for large-scale pay-card theft is serious. RiskIQ's blog says that, quote, "Magecart is an active threat that operates at a scale and breadth that rivals or possibly surpasses the recent compromises of retail giants such as Home Depot and Target," end quote. Another way of looking at the case, of course, is that it's a supply chain issue. Supply chains can deliver software as much as they can hardware, and they're all attractive to operators with bad intentions.
Dave Bittner: [00:04:03] Chinese espionage services are, according to FireEye, vigorously prospecting Cambodian political media and government targets in advance of that country's elections, scheduled for July 29. Prime Minister Hun Sen is seeking re-election. He's running without any effective opposition. The opposing Cambodia National Rescue Party was dissolved last year, and its leader arrested on suspicion of plotting with the U.S. to overthrow the government. That arrest is widely regarded as founded on a bogus accusation.
Dave Bittner: [00:04:36] Bloomberg quotes FireEye's sources as saying, quote, "we expect this activity to provide the Chinese government with widespread visibility into Cambodian elections and government operations. The compromises fit the overall MO of Chinese espionage in that they gather up all the information that they can," end quote. Chinese operators are said to be targeting the opposition, human rights groups and media organizations. They have also extended their activities to government bodies, including the National Election Commission, the Ministry of the Interior, the Ministry of Foreign Affairs and International Cooperation, the Ministry of Economics and Finance and the Senate. It's an instructive case of the extent to which intelligence services will go to inform themselves concerning matters that aren't in serious doubt.
Dave Bittner: [00:05:24] In another story with a Chinese-government angle, people have reported that some iPhones have been crashing, entering a denial-of-service condition that Apple patched Monday. The problem seems related to Apple's willingness to placate China's government by ensuring that iOS devices in China wouldn't display Taiwan's flag as an emoji option. Digita Security founder Patrick Wardle, who investigated, believes devices crashed because iOS was coded to treat the Taiwan emoji as an invalid input. Confusion over location and language settings appears to have triggered the problem. If you are looking toward another problematic time for Apple users, wait until October 10, celebrated in Taiwan as Double 10 Day, the national holiday.
Dave Bittner: [00:06:12] High-profile cases of insider threats like Edward Snowden and Chelsea Manning attract attention and generate headlines, and justifiably so. Ken Spinner is VP of global field engineering at Varonis. And he wonders if we're being distracted and taking our eye off the ball.
Ken Spinner: [00:06:29] It's gotten to the point where people at bars and restaurants know the names of Manning and Snowden and Winter and so on, but they lose sight of all the other things that are happening. You know, they lose sight of all the other people that are potentially stealing data, and whether those people are insiders or whether those people are trusted outsiders, or whether those people are potentially consultants and contractors.
Dave Bittner: [00:06:53] Now, where do you think organizations are getting it wrong?
Ken Spinner: [00:06:56] I don't think they're focusing enough on insider threats, and I certainly don't think they're focusing enough on data. If you look at what people are going after, typically they're going after data. And they're going after data that potentially can be mined for specific types of information, or they might be going after data that they can monetize. So because of that, I think a lot of organizations are neglecting going after the people who are actually searching for the data. And they're not doing enough behavioral analysis to determine, you know, when somebody's behaving incorrectly or correctly.
Dave Bittner: [00:07:27] So let's dig into that in terms of a solution. So we've got behavioral analysis. Walk us through what you mean by that.
Ken Spinner: [00:07:34] I'll give you an example. Typically, if you have, let's say, a finance person, they're probably going to access similar files every day. They're probably going to access those files from the same machines every day, and they're probably going to do it during normal business hours. The technologies that are out there need to be able to determine what constitutes normal, and the technologies that are out there also need to be able to determine very quickly what constitutes abnormal.
Ken Spinner: [00:08:00] So if you have a finance person, and they're working after hours, and all of a sudden you see that they're coming from a machine that's not their normal machine, you might want to be suspicious of it. And you might want to start investigating what was going on with that individual. Now, if you also know that the data that they're accessing is potentially really important financial data, really important to the company, you're going to start to - potentially start investigating what that data was, and why is it so important, and why is that individual accessing it during hours that might not be appropriate from a machine that might not be appropriate.
Dave Bittner: [00:08:33] Now, how about encryption in protecting the data at rest and in transit? How much could that contribute to a solution to this problem?
Ken Spinner: [00:08:41] Oh, it absolutely contributes. Encryption, like every other type of security technology out there, is very important. But at the same time, encryption only helps when you have people who are - potentially should not have access to that information. But if you're granting access to somebody, or if somebody - you know, as an example, a person loses their credentials or credentials are stolen, then encryption might not help. And what I mean by that is the person's already got access to that information, which means that they've been granted access. And they more than likely have the keys to that particular encrypted file or folder, so they'll be able to access it anyway.
Dave Bittner: [00:09:18] So what you're advocating is really a system that learns the habits of your employees and then also implements a set of boundaries and can alert when things go outside of those boundaries.
Ken Spinner: [00:09:32] Yeah, that's exactly right. And I'm also looking to get deeper into automation. So when manual processes break, automation takes control. So - and what I mean by that is if you have an individual who grants access or over-permissive access, we should have the proper tools in place to make sure that that's controlled by some other automated process.
Ken Spinner: [00:09:54] Typically, people don't do a good enough job making sure that they understand what type of data they manage, the criticality of that data for the business, the criticality of the - of that data for ongoing operations. And if they do that right, and they do behavioral analytics on that data, they'll be able to manage and secure that data a lot better.
Dave Bittner: [00:10:11] That's Ken Spinner from Varonis.
Dave Bittner: [00:10:15] The U.S. Congress continues to question Google and Apple over user-tracking practices. Apple said it will limit the user data third-party developers can get from Apple devices. But the House of Representatives' Energy and Commerce Committee would like to know why the developers are allowed access to any data at all. The committee is also interested in what's up with respect to privacy in the Android ecosystem, especially since reports surfaced recently that Google has continued to enable data scanning for target marketing.
Dave Bittner: [00:10:45] Facebook also remains under scrutiny. The U.K.'s information commissioner has fined the company 500,000 pounds. Observers dismiss this as chicken feed, but the commissioner also called for an ethical pause in micro-targeted advertising, which could be more consequential if it turns out to be something more than merely aspirational.
Dave Bittner: [00:11:05] Facebook is also facing more litigation. An Australian litigation funder, IMF Bentham, has opened a class action suit against Facebook for privacy matters pertaining to the Cambridge Analytica affair.
Dave Bittner: [00:11:19] The Pirate Bay is now telling users upfront that it intends to crypto-jack their CPUs. They can like it or lump it - install an ad blocker or get off their site.
Dave Bittner: [00:11:30] And finally, you may recall the case of Kariva Cross, who last month copped a guilty plea to having used stolen identification information to get fraudulent personal and vehicle loans from the Langley Federal Credit Union. The U.S. Attorney's Office for the Eastern District of Virginia, which prosecuted the case, issued a press release at the time that explained Ms. Cross got her stolen personal information from the large data breach the U.S. Office of Personnel Management, OPM, sustained - or at least discovered and disclosed back in 2014.
Dave Bittner: [00:12:04] It turns out that this probably isn't true at all. Ms. Cross didn't necessarily get the personal data she stole from the OPM breach. The Justice Department corrected itself in a letter to Senator Warner, Democrat from Virginia.
Dave Bittner: [00:12:18] Instead, what happened seems to be that some of the victims whose data had been used told investigators that their information had been compromised by the OPM incident. But that's not surprising, since an awful lot of people were affected by that breach, and since an awful lot of them no doubt live or work in the vicinity of Langley, Va. There's no evidence that Ms. Cross actually used data from the breach in her crimes. And so justice was premature, as they put it, in jumping to its conclusion.
Dave Bittner: [00:12:49] The episode is a nice illustration of the logical fallacy of affirming the consequent. If someone's data used in the identity theft were traceable to the OPM breach, then that person would have been a victim of the OPM breach. Right? But it doesn't follow that any case of identity theft involving a victim of the OPM breach is therefore traceable to that OPM breach. Who in the world knows where Ms. Cross got her data? Well, presumably she does. But the inference the press release draws is invalid. And here all of us were marveling at the investigative work that traced the OPM data to fraud at the credit union.
Dave Bittner: [00:13:25] Consider this - if Abraham Lincoln fell off the Empire State Building, then he'd be dead. Abraham Lincoln is dead. Therefore, he fell off the Empire State Building. No. That's the fallacy of affirming the consequent. Class dismissed, Eastern District of Virginia.
Dave Bittner: [00:13:47] Now, a moment to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest paper, entitled, "More is Not More: Busting the Myth that More Threat Intel Feeds Lead to Better Security." It's a common misconception that a large quantity of threat intelligence feeds leads to more effective security. Unfortunately, threat feed over-indulgence can lead to confusion, disorganization and inaccurate threat reports. Instead of adding more threat intel feeds, you should incorporate the feeds that provide the most value to your company's security operations. Find the paper, or to register for a free ThreatConnect account, visit threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:15:06] And I'm pleased to be joined once again by Johannes Ullrich. He is from the Internet Storm Center's "StormCast," a daily podcast from the SANS Institute. Johannes, welcome back. You know, we've been seeing a lot of talk lately about efforts to secure DNS. What can you share about that?
Johannes Ullrich: [00:15:24] Yes, thanks for having me. DNS, of course, is one of those ancient protocols, as far as the internet is concerned - actually, one of the big success stories in the ways it survived them, but it has scaled so far. But the one issue we always had with DNS was privacy. Now, initially the security concerns with DNS were more around integrity of the data, like DNS spoofing. And DNSSEC, of course, was invented to prevent that.
Johannes Ullrich: [00:15:51] DNSSEC had a little bit a rocky start and isn't really used all that much. But really, the only thing it prevents is someone from spoofing a DNS. As an end user, that tends to be not a huge concern. What you're really more concerned about is privacy. And some recent efforts really sort of have put more attention to that.
Johannes Ullrich: [00:16:13] For example, DNS over TLS. You may have heard about Cloudflare setting up their own public DNS resolver, 1.1.1.1. That DNS resolver now, for example, supports DNS or TLS. So if you have, for example, a home router or, on your desktop, software that does support DNS over TLS, then you can take advantage of this, and your ISP no longer knows what DNS solutions you actually performed.
Johannes Ullrich: [00:16:47] Now, from a defensive point of view, this can also be a problem because DNS has sort of been, you know, one of the ways how you're able to inspect some of this traffic in our networks. With more and more traffic moving to HTTPS and encrypted traffic in general, DNS was sort of the one opening we had to really see what sites our users were visiting. Actually, another sort of little protocol that starts to take off now is DNS over HTTPS - DoH, it's sometimes abbreviated as. And now, in your network, everything will go over HTTPS, including DNS, which of course for enterprise and so will make it more difficult to defend.
Dave Bittner: [00:17:29] In your estimation, is that a worthwhile tradeoff?
Johannes Ullrich: [00:17:32] Well, I think it depends on your sort of threat model and what network you're in. I think, for a home user, if you're traveling and connecting to less than trustworthy networks, that - DNS over TLS or DNS or HTTPS are - will create protocols. In enterprise networks, I think you may still want to have more control over where your users are going, what they're doing with your systems, and, you know, if the data that you have - and that's also consumer data - is protected well.
Johannes Ullrich: [00:18:02] In those case, I think you would still want to retain that internal visibility, but the way you can do it and still sort of take advantage of some type of privacy is where you essentially configure your internal clients that they connect to your internal resolver, but then that internal resolver can still take advantage of protocols like DNS over TLS or DNS over HTTPS to preserve the privacy as the data leaves your network.
Dave Bittner: [00:18:29] All right. Well, as always, good information. Johannes Ullrich, thanks for joining us.
Johannes Ullrich: [00:18:33] Thank you.
Dave Bittner: [00:18:38] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.
Dave Bittner: [00:18:58] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:06] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media with editor John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.