Perils of paycards, as Cyber Weekend approacheth. Tessa88 is identified. Many more people than before have now heard of High Tail Hall.

Dave Bittner: [00:00:03] Amazon offers customers a limited alert of some kind of data exposure. Facebook is back online. Shoppers and retailers prepare for Cyber Weekend. Tessa88, the dark-web data hawker, may have been identified. Cyber espionage continues. We've got a look back at Triton malware with Schneider Electrics' Andy Kling. And there's been another breach in what we've curiously agreed to call an adult site.

Dave Bittner: [00:00:35] It's time for a message from our sponsor Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give InfoSec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best-informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel and subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. It's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:37] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 21, 2018. Amazon has experienced a so far unspecified breach. The online retailer has emailed many customers but not all to say that their name and email address had been exposed due to a technical error. That email - genuine enough, despite its fishy appearance - doesn't say what happened or where or why or how. But it reassures the recipients that everything's fine, and there's no need to change passwords.

Dave Bittner: [00:02:17] It's interesting to note that a number of people suspected the email from Amazon might be a scam even though some of the telltale signs of social engineering by email weren't present. There were no requests to verify your account or click here to reset your password. Perhaps this is a good sign of growing awareness of the risk of phishing. If so, good. Stay skeptical.

Dave Bittner: [00:02:40] It's also interesting to note that the incident occurred just before what's become in the U.S. especially, but elsewhere as well, a traditional long weekend of shopping frenzy. Risks of fraud are naturally somewhat heightened at this time of year. How high the rate of fraud is might be seen in some data published by ACI Worldwide, the online payment provider.

Dave Bittner: [00:03:03] Looking at the track record based on hundreds of millions of transactions, ACI thinks we can expect the value of retail fraud attempts to jump by 17 percent over what we suppose we must now call Cyber Weekend. Taking individual fraud attempts, ACI estimates that the average dollar value of each scam try will be up by 3 percent, specifically up to $243 per attempt. Tomorrow, Thanksgiving Day, seems likely to be worst of the long weekend, with some 1.8 percent of all attempted transactions being fraudulent. The comparable scam rates for Black Friday and Cyber Monday are expected to come in at 1.3 and .93 percent, respectively.

Dave Bittner: [00:03:47] We've heard and seen a lot of advice for consumers on staying cyber safe. But it's worth remembering that in many respects, this is an organizational challenge for businesses engaged in e-commerce. NuData Security - now a Mastercard company, so they think about this a great deal - reached out to us with a comment. High volume correlates with heightened risk. And according to NuData's Ryan Wilk, quote, "organizations need to be aware of this and make sure that their account security corresponds to the heightened threats by engaging with more robust access protocols such as two-factor authentication and passive biometric solutions," end quote.

Dave Bittner: [00:04:26] Retailers compete, of course, but so do the crooks who target them. In the card-skimming underworld, rival gangs are struggling for Magecart supremacy on an infected e-commerce site.

Dave Bittner: [00:04:39] It's been just over a year since Industrial Control Systems security firm Dragos discovered a malware campaign designed to sabotage the safety shutdowns in a system in the Middle East. The malware, which is most often referred to as Triton or Trisis, triggered an emergency shutdown of the Schnieder Electric Triconex system it had aimed to control. This inadvertent shutdown was one of the factors that led to its discovery. Since then, Schneider Electric has been remarkably transparent about the event, sharing information with researchers, colleagues and even competitors. Andrew Kling is director of cybersecurity and system architecture at Schneider Electric.

Andrew Kling: [00:05:19] In August of 2017, we had a plant that went down, meaning the safety system was tripped and the plant was taken to a safe state. Initially we investigated this as a plant trip, a safety situation. OK, what happened at the plant that would cause this? Fairly quickly, though, we recognize that it couldn't be explained by normal process and process control, and it caused us to look a little deeper. And in fact, we recognized that this was a cybersecurity incident.

Dave Bittner: [00:05:52] So what were some of the lessons learned? What were some of the take-homes, having been through this?

Andrew Kling: [00:05:57] So for me personally, I am in R&D. I run an SDL, a Secure Development Lifecycle, for an organization that's very large. We're 1,000 engineers spread over multiple continents around the world. And we had always taken an approach of identifying - in our SDL, identifying vulnerabilities, ranking those vulnerabilities using the Common Vulnerability Scoring System and addressing the most severe vulnerabilities and moving down that list, working through our backlog of vulnerabilities, that we addressed the most severe. The lesson learned that I personally took out of this attack was attackers don't start at the top of the list. They'll start with wherever they have their tradecraft and their preparedness. And so vulnerabilities that existed fairly low down on that list, out in the CVSSes of threes, fours and fives, that's where they were attacking. Those are some of the techniques that they were using.

Andrew Kling: [00:06:55] And so the lesson learned was you can't only look at sort of a top-down, most-severe-to-least-severe approach, but you actually have to look at the tradecraft that's being used. You have to understand the advanced persistent threats out there, these threat groups that are out there and the techniques that they're using so that you can devise your defenses not only in this top-down approach, but also in a very pragmatic approach that looks at the techniques that could be used against you.

Dave Bittner: [00:07:21] So is this a matter of monitoring incoming feeds of threat intelligence to know - to, I guess, align the vulnerabilities with what's actually going on out there in the real world?

Andrew Kling: [00:07:34] Yes, exactly. It not only entails you having a program of understanding vulnerabilities and the evolving nature of vulnerabilities - somebody discovers a new zero-day in an operating system or in a library - we've all - we all hear about these things all the time - but also understanding where these vulnerabilities are being exploited. And it's that exploit - those exploits that require the threat intelligence that you mentioned, that require that you have a continuous feed.

Andrew Kling: [00:08:03] And it's not enough just to have the feed. It's not enough just to have a keyword in those feeds that you're triggering. But you have to look at them and actually understand the nature of what's going on. And, yes, this ties into motivation. It ties into geopolitical nature, ties into what would motivate an attacker to attack your customers and your industries and your verticals. It takes time to understand what those motivations might be so that you know how to filter through this threat intelligence to find what actually matters to you most.

Dave Bittner: [00:08:36] You know, it's my impression that, particularly in the Industrial Control System space, there is a strong sense of community and a lot of sharing that goes on between organizations, between researchers. First of all, is that actually the case, in your experience? And how does an event like this make its way through the community?

Andrew Kling: [00:08:57] You know, that's a great question. Within days of this incident becoming public, I was on the phone with my competitors. I have colleagues that I know in other competitive businesses through standards committees. And like you said, it's a close community. I was briefing them. Very point-blank, I was briefing them on what we knew about the attack, how the tradecraft looked like it could have - it definitely was attacking our product but could be applied to any kind of safety product. And we were there to help them learn as much as anybody and continue to stand that posture, to stand that vision of trying to bring this collaboration.

Andrew Kling: [00:09:35] This is an industry call to action. And we firmly believe in that, and we are putting our efforts behind that. If the next one comes and I am ready, will I know it? Will I know that the attack happened, and it failed? It's entirely possible that the attack happens, and we completely thwart the attack, and there's never any evidence that the attack happened. So it's very difficult to say. We need to work with everybody. This collaboration has to go horizontal through the industry, meaning we all have to work with each other.

Andrew Kling: [00:10:04] And then we also have to think about some of that vertical collaboration. How do we work with the government agencies around the world? This has been a real eye-opener here that - you know, where we identify that there very much are silos between countries when it comes to some of this. And, yes, some sharing goes on. Much of that is probably hidden from somebody like myself down here at an OEM level. But we very much can conceive vertical silos built-in in how we share.

Andrew Kling: [00:10:33] And so it's incumbent upon a vendor like myself, an OEM like myself, to find those silos and to communicate up through them to the government agencies that need to know. But it's also important that we start to break down some of these barriers so that there is a better way to collaborate on incidents like this. And it's collaboration that's going to help us improve our security posture.

Dave Bittner: [00:10:56] That's Andy Kling from Schneider Electric. You can read his article "One Year After Triton: Building Ongoing, Industry-Wide Cyber Resilience." That's on the Schneider Electric website.

Dave Bittner: [00:11:09] Threat intelligence firm Recorded Future says it's cleared up the mystery of Tessa88, the hitherto unidentified cyber criminal who in 2016 sold Myspace, Badoo, LinkedIn, QIP, Rambler, VKontakte, Mobango and Twitter databases. The security firm has concluded that Tessa88 is one Maksim Vladimirovich Donakov of Penza, Russia. Tessa88 claimed to be a broker or middleman as opposed to a hacker. Mr. Donakov is, as far as known, still at large. But there has recently been an indictment and extradition to the U.S. of another hood involved in the MySpace caper.

Dave Bittner: [00:11:52] Espionage in cyberspace continues at its customary tempo and customary actors. Australia, however, is thought to be seeing an increase in the attention being paid to its corporate intellectual property by China's Ministry of State Security. And observers continue mulling Cozy Bear's virtuoso return to phishing for access.

Dave Bittner: [00:12:14] Those of you in the furry community - you know who you are. But a breach in the High Tail Hall suggests that about half a million of you will eventually be known to everyone else as well. The BBC and friend of this show Graham Cluley seem well-informed on the incident. You can safely leave us out of it.

Dave Bittner: [00:12:35] Remember to look for a redesigned daily news briefing email shortly after the Thanksgiving holiday. It's redesigned to avoid falling into spam traps or becoming inadvertently enmeshed in the array of anti-phishing measures increasingly deployed. We hope you'll find the new format more user-friendly. We'll announce the date as the rollout approaches. As always, thanks for subscribing and reading. That's one of the many things we at the CyberWire are thankful for. And remember, if you don't subscribe yet, why not sign up for the always free daily delivery this Cyber Weekend?

Dave Bittner: [00:13:07] We are, of course, observing Thanksgiving this week so there will be no daily news briefing, daily podcast or "Hacking Humans" on Thursday or Friday. There will also be no "Research Saturday" or Week that Was this Saturday. Everything returns to normal next week. In the meantime, enjoy the holiday, and we'll see you Monday.

Dave Bittner: [00:13:31] And now a few words about our sponsor, our friends in the technology news world Techmeme. You probably know Techmeme from their curated online comprehensive view of all the day's tech news. And now they also produce the "Techmeme Ride Home" podcast. If you like the CyberWire and you're looking for even more technology news, "Techmeme Ride Home" is the podcast for you. We're fans, and we think you'll like it, too. It's 15 to 20 minutes long and hosted by veteran podcaster Brian McCullough. You may know Brian from the "Internet History" podcast. The "Ride Home" distills Techmeme content into, well, the kind of things you'd like to listen to on the ride home - headlines, context and conversation about the world of tech. It posts every weekday afternoon around 5 p.m., great for afternoon drive time in the U.S. Be sure to search your favorite podcast app for "Ride Home" and subscribe today. That's the "Techmeme Ride Home" podcast. And we thank the "Techmeme Ride Home" podcast for sponsoring our show.

Dave Bittner: [00:14:39] And I'm pleased to be joined once again by David Dufour. He is the vice president of engineering and cybersecurity at Webroot. David, welcome back. We wanted to go through and touch on some issues with open-source code - kind of walk through what some of the best practices are, some of the good things and bad things when it comes to using it on your projects. What can you share with us?

David Dufour: [00:15:00] Hey. First of all, great to be back, David. And you're right. You know, open source, I think a lot of folks are getting a lot more understanding about licensing and things like that. And that's really where we're going to focus. I should start out by saying I am not a lawyer. Do not take advice from me thinking that's in some way going to protect you. But the whole point here about talking about open source is really just to raise that consciousness of considerations you need to take.

David Dufour: [00:15:28] So what are we talking about? I'm an engineer. Everybody out there, you know, that's developing software, you know, we all like to put on our pirate hats and surf the internet and look for something that prevents us from having to write code from scratch. And a lot of times you find really well, professionally made products are free, but they are under different open-source licenses. We want to use those in products that we want to develop and then potentially sell. And the trick is you need to take the time as a developer - and a lot of startups don't want to take this time, and I get it because I've been there - to understand, you know, the implications of building a solution around products of different open-source licenses.

Dave Bittner: [00:16:15] And I understand that there's this sort of fundamental tension because I think there's this perspective that, well, anything open source, the upside is that it's going to have a lot of eyes on it, but the downside is no one's really being paid to take that deeper look at it.

David Dufour: [00:16:30] Well, that's - now, that's true. That is one thing where I do agree that no one is taking that deep dive looking at the code. Are there vulnerabilities in there from a security perspective? And I understand that, and there are concerns there. And when we look at open source here, we want to make sure we've done a good vetting of whatever open source we may use. But the flip side is - and this is really for people building solutions, building products - if you take open source with a certain type of license and you build a product around that open source, your source code and your product is also there then required to be open source, meaning any code you write that is attached to certain open-source licenses is by definition now open source, as well. And you may be forced to give away your intellectual property. And that's really the concern I have for a lot of folks with a startup or, you know, trying to get off the ground with something. You really do need to be aware of that.

Dave Bittner: [00:17:33] So you could be running at maximum velocity trying to ship this product, and in doing so you add some open-source code. And then months later, it turns out that you have to reveal your code because you didn't take the time to read through the open-source agreement.

David Dufour: [00:17:50] That is it in a nutshell. And, David, we have spent here at Webroot many, many, many, many person hours getting through, you know, source-coded different licenses and making sure we've addressed that. Because the open-source community is getting - is really starting to pay attention to it. And I don't blame them. Because there's a lot of people who spend a lot of time writing really good code that's open source that they put out there for free for us to use, and they've done it out of the goodness of their heart. And it's not necessarily right that someone just take that and monetize it. So I agree with the community and the way they do it. I'm more just trying to alert people, you know, be aware that you may be on the hook for letting your intellectual property out there.

Dave Bittner: [00:18:39] It's good words of wisdom. David Dufour, thanks for joining us.

David Dufour: [00:18:43] Hey. Great being here, David. Have a great day.

Dave Bittner: [00:18:49] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.

Dave Bittner: [00:19:08] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:19:17] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.