The CyberWire Daily Podcast 11.30.18
Ep 735 | 11.30.18

Marriott suffers data breach. Dunkin Donuts credential stuffing attack. Urban Massage database exposed, unsecured. Fancy Bear paws at German government targets. SamSam cost.


Dave Bittner: [00:00:03] Marriott's big breach. And Dunkin' Donuts' big breach. And Urban Massage's embarrassing exposure. Lessons are drawn about third-party risk, password reuse and the importance of being less creepy to the people you do business with. Fancy Bear shows up to paw at the phish swimming in Germany's government. Distinguished engineer and IoT security strategist from Cisco, Michele Guel, joins us. And how much did SamSam really cost people - FBI, DOJ? Is it millions or billions? In either case, you're talking about real money.

Dave Bittner: [00:00:45] And now a word from our sponsor, ObserveIT. (Singing) It's the most wonderful time of the year. Well, sort of. We're talking about budgeting season. Most cybersecurity professionals agree that they need more budget. Unfortunately, many organizations wait until a costly incident occurs to provide the budget their security teams need. A case in point, insider threats cost organizations on average $8.76 million per year, according to a Ponemon Institute survey. But 34 percent of cybersecurity professionals named lack of budget as a major barrier to establishing an effective insider threat management program. So how do you ask for the budget you need to proactively detect and stop insider threats? The latest guide from ObserveIT gives an in-depth look at insider threat budgeting, including determining top cost centers, evaluating your organization's risk and especially making the case to management for a dedicated insider threat management line item. Visit, and check out ObserveIT's "Guide to Budgeting for Insider Threat Management" today. That's And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:02:13] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 30, 2018.

Dave Bittner: [00:02:25] Hotel chain Marriott disclosed this morning that data belonging to about 500 million guests over the last four years have been illicitly accessed. Attackers have been in the company's Starwood guest reservation database since 2014. The brands affected included more than just Marriott. W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, the Luxury Collection, Tribute Portfolio, Le Meridien Hotels & Resorts, Four Points by Sheraton and Design Hotels were all hit.

Dave Bittner: [00:03:02] Starwood, acquired by Marriott in 2015, disclosed a breach affecting 50 properties shortly after the acquisition closed, as Krebs on Security reminds readers in the course of giving a brief and helpful review of significant hospitality sector breaches. Most of the affected guests, around 375 million of them, lost data that included contact information, name, address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth and gender. An undisclosed number of guests also lost pay card information, as ZDNet reports.

Dave Bittner: [00:03:41] Theft of this sort of data, of course, opens up the possibility of some large-scale identity fraud. We've received a lot of informed speculation from industry sources on the incident. OneSpan's John Gunn thinks the impact on the victims is the most important aspect of the hack, and he zeroes in on the theft of passport numbers. Gunn said in an email, quote, "it is remarkably easy to request a replacement credit card from your financial institution, and you are not responsible for fraudulent activities. Try that with your passport," end quote. Bromium's Sherban Naum commented, quote, "after a four-year, long-term stay in the Starwood Hotel database, the hackers finally checked out and with more than complimentary bathrobes," end quote. He notes that the hackers were apparently quietly present in the hotel chain's systems for at least four years and that this patient persistence is increasingly characteristic of the more damaging sorts of criminal activity.

Dave Bittner: [00:04:38] Another breach in the hospitality industry hit Dunkin' Donuts, which sustained a credential stuffing attack that yielded details of customers' DD Perks loyalty accounts. The hackers didn't compromise Dunkin' Donuts' owns systems but merely tried credentials they'd gained in other unrelated attacks on various third parties. Dunkin' Donuts did indeed share customer information with some third parties in accordance with its terms of service, and one of those was the source of the breach.

Dave Bittner: [00:05:07] Dunkin' Donuts discovered the issue at the end of October, and strongly urged that its customers reset their passwords and not reuse them across different accounts. Why steal donut shop loyalty points? No, it's not because skids are out there jonesing for a doughnut, Bavarian cream-filled or even some marbled frosted. Instead, the crooks are selling the points to those who are. There is a brisk black-market trade in all varieties of loyalty points on the dark web, and DD Perks points have been a staple in the markets for some time. As Motherboard puts it, after doing some window-shopping, the points can be had dirt cheap. So this is a petty crime sort of hack. And if the criminals make a pile doing it, their secret will be volume.

Dave Bittner: [00:05:51] Not quite hospitality perhaps, but London-based Urban Massage's booking app was apparently not protected by any sort of password at all. And the Elasticsearch skinny on some 300,000-plus clients was left out there exposed to inspection by a Shodan search. The good news is that there weren't pay card data among the exposures.

Dave Bittner: [00:06:12] The bad news is that employee comments about the customers - including complaints about behavior the bluestockings over at TechCrunch sniffishly called creepy - well, those were out there, too. But if you've recently booked a massage into a Marriott property while enjoying a chocolate frosted doughnut and a medium coffee, check your wallet. We're just saying.

Dave Bittner: [00:06:35] Fancy Bear is making another run at German lawmakers. Spiegel is reporting that Snake, another name for APT28 - also known of course as Fancy Bear - is phishing targets in the Bundestag and Bundeswehr and various embassies. The evident goal is espionage. Snake, APT28, Fancy Bear - remember; they're all variant names for a hacking crew out of Russia's GRU.

Dave Bittner: [00:07:02] Finally, the losses to SamSam ransomware and the costs in recovery and remediation it imposed were surely disturbingly high. The FBI statement pegged it at $30 billion with a B. The Department of Justice indictment said $30 million with an M. In either case, it's a lot. And what's three orders of magnitude between Main Justice and the J. Edgar Hoover building?

Dave Bittner: [00:07:33] And now a word from our sponsor Edgewise. If you've been following cybersecurity news in the past year, you've probably heard the phrase zero trust security more than once. The TL;DR of zero trust is to never trust and always verify every connection in your environment. That all may sound well and good, but the next questions are how, why and where to begin. If you're in search of a guide to help you get from zero to zero trust, Edgewise Networks has you covered. They recently published "Zero Trust Security for Dummies" to help organizations like yours understand what zero trust security is and how it can prevent breaches in your cloud or data center. "Zero Trust Security for Dummies" has the answers to all your zero trust questions. And the book is available for free. You can download it at That's And we thank Edgewise for sponsoring our show.

Dave Bittner: [00:08:43] I'm pleased to be joined once again by Robert M. Lee. He's the CEO at Dragos. Rob, we had a story come by from Andy Greenberg from WIRED. This was "How Hacked Water Heaters Could Trigger Mass Blackouts." So an IoT threat that could cause the grid to go down - what's your take here?

Robert M. Lee: [00:09:01] Yeah, I think this is - I'm going to try to position multiple aspects. And one position - first and foremost, I've worked with Andy before. He's usually a really nuanced journalist. And he tries to capture the story correctly. So...

Dave Bittner: [00:09:12] Yeah.

Robert M. Lee: [00:09:13] ...Right off the bat, when I hear it's Andy and I look at this article - like, I read the title, I'm like, oh, crap. Here we go. And then I read the reporter's name. I'm like, well, there might be something to it. And in all of these discussions, the positive thing I'll say - because I think I come on the show, and you would ask me these questions where I'm, like, the skeptic. You know, (unintelligible) a lot of positive things to say here. So there's - a positive thing I'll say about the story is the interconnectivity of our IoT-type devices in the home as well as the industrial Internet of Things - so your robot arms, your smart meters, your various interconnected components that haven't been traditionally connected of industrial environment - that the interconnectivity of both of those is very interesting and introduces risk that has not been fully appreciated.

Robert M. Lee: [00:09:57] And we even see this in places like gas pipelines and oil refineries and manufacturing where cloud-based applications are start to give access directly to sensors and various components of industrial automation in a way that they've never been accessed before and introduces risk from a cyber resilience as well as cyberthreats component that hasn't been fully appreciated. So on the backdrop, this is all a discussion that's good to have. And we should be talking about it and trying to figure out where the risk is. On the other hand, I'm never a big fan of kind of the highlights of, hey, here's a real problem; we should look into it or we're all going to die. Like, that's where the story generally goes of, like...

Dave Bittner: [00:10:42] Right.

Robert M. Lee: [00:10:42] ...Oil managers. There's a gap. There's a whole big gap. And so the water heater discussion - and Ben Miller, our director of third operations that was in the story and quoted as saying that the size required of the bot net be able to do that out of these components is not available today. There's not enough of these smart water heaters in a store, as an example, to have any unnecessary impact on grid operations or reliability of the grid based on the size and scope of the problem today.

Robert M. Lee: [00:11:15] However, that's not to say, oh, well, as it expands, we will. No, as things expand, there will also be other considerations. And where a lot of these stories fall a little flat is they're great about identifying some risk, but they're not already aware of the compensating controls in place today.

Robert M. Lee: [00:11:31] There's another similar story that came out a couple months ago. There was a really good paper by some researchers that looked at smart sprinkler systems and said, look; you could hack one of these gateways and turn all the sprinkler systems on and empty a city's reservoir within a couple hours. And so on its surface, some of these things are technically true. Like, they dug into it. They looked into it. They measured the flow rates of the sprinkler systems, how much water has to be in there.

Robert M. Lee: [00:12:00] Like, all these things are technically accurate on what you could do from a technology standpoint but aren't necessarily accurate on what could happen considering everything else. As an example, any water engineer or operator sitting there at the utility, your local water utility, is not going to watch their reservoir and be like, oh, man, that's super weird. Like, they're going to take action.

Robert M. Lee: [00:12:22] Like, the system itself doesn't take actions, but there are, you know, safeguards put into the systems themselves. And even if the system itself doesn't just trip and go, yeah, that's too much flow going out, we're going to throw an alarm and take some action in the system, which is more likely to happen, than your human operator being like, yeah, that's - something's wrong. Turn off that line.

Robert M. Lee: [00:12:38] You know, and so the same discussion with - this water heater discussion of a botnet, you know, a sufficiently sized botnet that would have to occur would first have to go completely undetected. Botnets are usually pretty noisy. Everybody would have to miss this. And let's just say that all happens. Then by the time it actually starts doing something, then you've got disconnects that could be put into place, you know, your electric grid operators are used to.

Robert M. Lee: [00:13:06] I mean, it's not a fairly good thing to do, but they're used to having to shuffle power around in adverse situations. Like, maybe a facility - they were expecting like a - they were expecting a power outage this morning, had a failure. So they have to pull generation from another, you know, portion. Or, you know, there's some faults of the lines. They've got to usher power around. I mean, they're used to moving electricity around.

Dave Bittner: [00:13:31] Even - I mean, I think about high-demand days for things like air conditioning, where they'll have rolling brownouts.

Robert M. Lee: [00:13:38] Exactly. I mean, so it's - technical accuracy is possible one day, but it's just not realistic given all of the other considerations. You have to remove all security considerations. You have to remove all human considerations. You have to remove all system considerations. And you basically create this isolated lab, an environment where something like that is possible. And so it's important to talk about it.

Robert M. Lee: [00:14:03] And it's also important to have this conversation and go, well, what of our safeguards would help us with this situation? Like, oh, these things. Oh, cool. Those are important, so make sure we don't take those out. You know, like, it's important to have these conversations. I think the dialogue is good, but freaking out - oh, my gosh, smart water heaters - down the grid - like, no, dude. It's fine. And so I think that's more of the point.

Dave Bittner: [00:14:24] All right. Well, Rob Lee, thanks for joining us.

Dave Bittner: [00:14:31] And now a few words about our sponsor, our friends in the technology news world, Techmeme. You probably know Techmeme from their curated online comprehensive view of all the day's tech news. And now, they also produce the Techmeme "Ride Home" podcast. If you like the CyberWire and you're looking for even more technology news, Techmeme "Ride Home" is the podcast for you. We're fans, and we think you'll like it too. It's 15 to 20 minutes long and hosted by veteran podcast Castor Brian McCullough. You may know Brian from the "Internet History" podcast. The "Ride Home" distils Techmeme's content into, well, the kind of things you'd like to listen to on the ride home - headlines, context and conversation about the world of tech. It posts every weekday afternoon around 5 p.m., great for afternoon drive time in the U.S. Be sure to search your favorite podcast app for "Ride Home" and subscribe today. That's the Techmeme "Ride Home" podcast. And we thank the Techmeme "Ride Home" podcast for sponsoring our show.

Dave Bittner: [00:15:36] My guest today is Michele Guel. She's a distinguished engineer and IoT security strategist at Cisco with over 30 years in the industry. We started our conversation discussing the work she's done with IoT devices in smart cities.

Michele Guel: [00:15:51] There's a lot of interest. There's a lot of great potential for cities to use IoT infrastructure to provide, say, early warning systems for flood, which is something that's been done in Texas and Mexico to help make better use of resources that are scarce, whether it's power, whether it's water, to better protect the city, provide more convenient traffic flow. So I think there's a lot of potential. And cities do need to implement that type of automation to improve the overall management of their city. But there are definitely some challenges in general with - I'll just call them IoT ecosystems.

Dave Bittner: [00:16:32] Can we touch on some of the privacy issues there? How do you make sure that, when these systems are going online, that they're also respecting the citizen's ability to maintain their privacy?

Michele Guel: [00:16:45] Yeah. So that's one of the bigger issues that come up. The smart city program that I was on last year actually for about 18 months was in Europe, more specifically in London. So one of the actions they took - and I wasn't part of this because I was in the U.S. and it was in London - they had a very focused group that they spun up initially that was all around the privacy in terms of understanding what data was going to be collected. Did - you know, that the citizens had an opportunity to opt in where possible.

Michele Guel: [00:17:19] Like, one example would be one of the use cases they ran was - I'm not sure of the official name - but it was essentially an early warning system in health management system for people with asthma. And so they had smart inhalers. And they would get alerts on their mobile phone when there was air quality or there was a big, you know, there was a lot of port activity coming in. 'Cause they always knew the pollution was higher when the transport ships come in. So they would get an early warning, and the recommendation might be to use their smart inhaler.

Michele Guel: [00:17:54] So there was personal - potentially personal information, but they were opting in. Like, I'm going to participate in this smart health monitoring. Therefore, I know that they have my - you know, my inhaler number's registered to a user number assigned to me, and my doctor knows what that is. So they approached it from the beginning of designing that solution what needs to happen. There are other incidental (laughter) privacy - I'll call them privacy violations in my personal view that happened that is one of the things that I brought up.

Michele Guel: [00:18:30] For example, you have a smart city implementation with, like, a video - an interactive video wall where the citizens can come in this big building. And then they can - you know, it's, like, the multi-screens, and they can click on a screen. And maybe they want to see what tourist activities. And they can click on another screen and see news. Well, there's another camera that's monitoring the video board. And so when they walk in the building, do they know that there's another camera that's capturing them or perhaps a camera that's actually seeing people that aren't even interacting with the board?

Michele Guel: [00:19:04] So you have that sort of incidental, maybe - this is not necessarily personal privacy information. But if I didn't know I was going to be on the camera when I walked by, do I know that? So there are challenges with smart city implementations. And privacy is paramount. But in the connected world, there - I would say the industry as a whole is still learning and maturing what approaches need to be taken to ensure that all these, you know, sensor-enabled devices that are capturing various information - maybe a single device is not capturing personal information.

Michele Guel: [00:19:39] But, say, in my Echo system in my house or the way I interact with the world across the day, there's a lot of different data. And if you combine that, the combination of all the data may reveal more about me than I understand and may not be aware of. So it's not in its individual sensors to look at. We also look about how the data's combined and look at that. And the industry as a whole has a lot of maturity that's needed in that area.

Dave Bittner: [00:20:07] I want to talk some about your role as a pioneer in the industry, particularly as a pioneering woman in the industry. I'm wondering, what's your perspective been? Coming up through this industry that is certainly male-dominated, what have you seen? And how do you feel like things have been recently?

Michele Guel: [00:20:24] What I do know in the early days is - I do get asked this question quite a bit - that I - it was never - I never really stopped and thought, like, hey, I'm the only girl in the room. I think it was just more of a - expected because it was the late '80s. Sorry (laughter). It was still way more male-dominated than it was now. But - and even through the '90s, there just wasn't a industry standard focused on it. And then it became a - more like, wow, there's just - there's not very many of us in here. And you didn't really hear about any focused activities.

Michele Guel: [00:20:57] I think the first sort of a-ha moment I had with some other women is - typically when women go to a security conference or any kind of technical conference, but in my experience security conferences, you could sit in a room with a thousand people, a couple hundred people, you could look around and count. Right? You could see that there wasn't very many women. But this one conference was a SANS conference. We went to the (laughter) ladies' room at break, and there was actually a line. We all kind of looked at each other like, wow, there's enough of us that there's a line. That - we haven't seen that before.

Michele Guel: [00:21:27] And so I always tell people that was sort of like a a-ha moment, like, (laughter) wow, we have enough women in the room there's a line. And so then you began to see organizations have more of a focus. What I have learned and more the industry is coming to an awareness about is we really need to reach the youth in middle school because that's when they're starting to make their decision about what I want to be when I grow up. And if they don't know that cybersecurity is an opportunity - and most often, they don't - then it's not even on their radar.

Michele Guel: [00:21:59] They may learn about it later, but if we can get the word out at an earlier age that there's a lot of great opportunities in this field - there's a high need - and then being able to demonstrate that it's an exciting industry. Women like to save the world. They like to help people. And phrasing it from, what are the things that you can do with a cybersecurity background that makes an impact in the world? How can you help a financial institution be secure? How can you help in the medical field? How can you secure a smart city so that city can make efficient uses of its resources and be secure?

Michele Guel: [00:22:37] So that's the way I feel and growing numbers of people feel in the industry, that we need to have the messaging to the younger generation so they see it as a great opportunity, and they find it exciting, and then help them with skills and understanding, like, OK, it's still going to be a lot of guys. You may be the only girl in your cybersecurity group at school, but keep going. You know, be bold. Be brave. Step out and just go for it because there's great opportunity.

Dave Bittner: [00:23:06] That's Michele Guel from Cisco. And that's the CyberWire.

Dave Bittner: [00:23:13] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:23:39] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.