The CyberWire Daily Podcast 8.1.19
Ep 897 | 8.1.19

Capital One investigation update. Don’t give up on the cloud. Exposed databases and backdoors. Cybercrime as high-stakes poker. Phishing the financials. Bots on holiday.

Transcript

Dave Bittner: [00:00:00] Hey everybody, it's Dave here. If you're heading out to Black Hat or DEF CON this year, be on the lookout for our CyberWire crew. If you see one of us rocking a CyberWire shirt, do stop and say hello. They'd love to meet you. I'm not going to make it there myself this year, but we've got a team of CyberWire folks who will be wandering the show floor, and they'd love to say hello. Safe travels.

Dave Bittner: [00:00:24] Investigators pursue the possibility that the alleged Capital One hacker might have hit other companies' data. An exposed ElastiSearch, database, now secured, was found at Honda Motors. Data from beauty retailer Sephora are found on the dark web. Defenders are urged to think of themselves as in a poker game with the opposition. Phishing remains the biggest threat to financial services. And what vacation spots attract the eyes of bots? 

Dave Bittner: [00:00:57] Now I'd like to share some words about our sponsor, Akamai. You're familiar with cloud security, but what about security at the edge? With the world's only intelligent edge platform, Akamai stops attacks at the edge before they reach your apps, infrastructure and people. Their visibility into 178 billion attacks per day means that Akamai stays ahead of the latest threats, including responding to zero-day vulnerabilities. With 24/7/365 security operations center support around the globe and over 300 security experts in-house, Akamai surrounds and protects your users wherever they are - at the core, in the cloud or at the edge. If you're going to Black Hat USA this year, visit Akamai at Booth 1522 to take part in their crack the code challenge. Akamai - intelligent security starts at the edge. Learn more at Akamai - that's akamai.com/security. And we thank Akamai for sponsoring our show. 

Dave Bittner: [00:02:02] Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com. 

Dave Bittner: [00:02:17] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 1, 2019. Investigation into the possibility that the alleged Capital One hacker hit other enterprises continues. According to Computing, however, Amazon says it's found no evidence that the organizations mentioned by Paige Thompson, who went by the name erratic, were actually compromised. The FBI is sorting it out, the Wall Street Journal reports. Not all the possible victims are in the U.S. 

Dave Bittner: [00:02:49] Discussing the Capital One breach, Duo Security says that people should not draw the conclusion that the cloud is somehow inherently less secure. Regular, reliable patching and updating alone represent an advantage, as does the broad view of threat activity cloud providers offer. But moving to the cloud does involve change, and that inevitably involves rethinking security. Old processes and protocols can't simply be assumed adequate in their new environment. 

Dave Bittner: [00:03:18] In an unrelated compromise that illustrates the hazards of mistakenly configured databases, an unsecured Honda Motors ElastiSearch database has been found by Cloudflare researchers. The exposed information is said to contain some 134 million documents with 40 gigabytes of information on about 300,000 Honda employees worldwide. The information of most concern wasn't the personally identifiable information about employees, although there was enough of that, mostly credentials, but rather detailed information about the endpoint devices on Honda's networks. This included such information as their patch status, the nature of the protections, if any, in place on them and their regular users. That information could have been used by an attacker to identify both weak points and high-value targets. 

Dave Bittner: [00:04:10] The data were exposed for some six days, at which point Honda, warned by the researchers, secured it. The automobile manufacturer found no signs that anyone other than the researchers had accessed it, so perhaps Honda dodged a bullet on this one. 

Dave Bittner: [00:04:26] The Straits Times discusses what appears to be a major breach at beauty retailer Sephora. Group-IB has found two databases circulating in dark web markets. Combined, the two databases hold about 3.7 million records. These don't contain either payment information or plaintext passwords, but Group-IB says the compromised data could be exploited for social engineering. 

Dave Bittner: [00:04:51] There's another case that seems to be the work of a genuine malicious insider - in this case, someone whom BleepingComputer calls a disgruntled admin. Club Penguin Rewritten, a multiplayer online game intended for players between the ages of 6 and 14 or so, began to leak email addresses, usernames and passwords belonging to players of the game. The leak came through a backdoor thought to have been installed and left open by an administrator who departed the company with a grudge. 

Dave Bittner: [00:05:21] Carbon Black announces what they call the cognitive attack loop. They view it as an improvement over Lockheed Martin's familiar cyber kill chain and of the similar model offered last year by MITRE. In Lockheed Martin's model, the kill chain describes a process in which attackers moved from reconnaissance, then to weaponization, on to delivery, then exploitation, to installation, to command and control, and finally onto actions and objectives. 

Dave Bittner: [00:05:49] MITRE last year offered an alternative version. In that model, attackers begin by establishing initial access, then move to execution, then persistence, escalation, evasion, credential discovery, lateral movement, collection, exfiltration and finally command and control. Where these models' organizing metaphor was engaging a target, Carbon Black asks us to imagine that we're playing poker - estimating probabilities and taking advantage of whatever you could see in the opponent's eyes. A look at their hand would be good, too. But of course, you can't count on that. We note that this is a pretty adversarial form of poker, not just a few friends playing Texas Hold'em or High Chicago. 

Dave Bittner: [00:06:32] Carbon Black's view of the cognitive attack loop seems to emphasize the way criminals think. Their look under the proverbial hoodie leads them to see a characteristic criminal three-step. First, reconnaissance and infiltration. Second, maintenance and manipulation. And third, execution and exfiltration. The organizing metaphor is robbery. At each step, Carbon Black is convinced, the cybercriminal exhibits some characteristic behavior. Understanding that, they argue, gives the defender an edge. 

Dave Bittner: [00:07:05] It's that time of year when folks are packing their bags and their sunscreen to head out to Las Vegas for Black Hat and DEF CON. Giovanni Vigna is CTO at Lastline and also a professor of computer science at the University of California at Santa Barbara, and he offers these insights. 

Giovanni Vigna: [00:07:22] Well, I think that Black Hat is somewhat different from other meetings like RSA or InfoSec Security in Europe. Black Hat is more for people in the trenches, people that want to understand the current technical trends. I found, maybe it's my experience, but I found that the people that attend Black Hat are a lot more involved in the day-to-day operation of securing networks - either as a solution provider or as somebody in the actual trenches. And therefore, the conversation is often very technical. 

Dave Bittner: [00:08:04] And what do you suppose is the benefit of being able to have those conversations face-to-face? 

Giovanni Vigna: [00:08:09] It gives you an unfiltered input on what are important aspects of the security problems. For example, while a top executive might be more concerned about how a certain solution allows him or her to report upwards about what a solution has done, somebody in the trenches might be more interested in how they can shorten the time to remediation. So for example - and I'm talking generically - you know, somebody sees a problem, a security problem, how fast they can handle the problem and find a solution to it. Those conversation oftentimes have driven our design or my understanding of how people, you know, use a specific solution. 

Dave Bittner: [00:09:01] So what are your expectations going into this year's Black Hat? 

Giovanni Vigna: [00:09:04] I think that - one thing that I've noticed, there is a lot of talking about the cybersecurity workforce. This has been a big problem since day one. We don't have enough people doing the job. We feel the pressure. I'm sure that every company has problems hiring and retaining good people. For some reason, I've seen more of this. And so I'm curious to see what the vibe is out there in terms of what companies are doing in order to recruit, to attract talent. And since Black Hat is more, you know, technical oriented, actually, that's the right place to have that discussion. So from that point-of-view, that's what I'm looking for. 

Giovanni Vigna: [00:09:53] On a more technical solution point-of-view, I'm looking forward to see what are the next wave of interesting technologies. You know, we had the, you know, huge artificial intelligence machine learning push, and now we are moving more towards the network traffic analytics and visibility and almost like, you know, the resurgence of network detection. And I am not using IDS on purpose because a lot of people, you know, consider that problem a solved problem, a commonly tied solution. But guess what? We're back to, you know, those good old days of network detection. 

Dave Bittner: [00:10:35] What sort of recommendations or tips do you have for someone who may be heading out to Black Hat for the first time? 

Giovanni Vigna: [00:10:42] Talk to people, especially informal setting. I find that these kind of settings where you just, you know, having a drink or, you know, talking around the proverbial water cooler are very informative, more than the discussion, you know, the specific booth of a specific company. And so I found these gatherings to be very good. And even I would say stay for DEF CON, the, you know, the follow-up hacking convention that sometimes has even more interesting content than Black Hat. 

Dave Bittner: [00:11:22] That's Giovanni Vigna from Lastine. 

Dave Bittner: [00:11:26] Akamai's eye's latest State of the Internet report concludes that phishing remains the biggest threat to financial services firms and their customers. 

Dave Bittner: [00:11:34] A study by ExpressVPN finds that less than 20% of people actually read the terms of service before they go ahead and click yes, OK, got it, or some variation thereof. That's less than 1 in 5. But maybe people should close read those every now and then, lest they find themselves agreeing to hold Company X harmless in the event that Company X should sell, lose or take advantage of their data in some unjust way. 

Dave Bittner: [00:12:01] And finally, we're now in the dog days of the Northern Hemisphere's summer, and vacation travel is on many people's minds. It's on the mind of the bots, too, or at least their masters, according to a study posted yesterday by security firm PerimeterX. In this case, they're not necessarily attacking or malicious bots, but rather bots used by companies in the travel sector to gather information about markets and interests that can guide their decisions about pricing and inventory. Airports are of particular interest. 

Dave Bittner: [00:12:32] So what destinations are the bots snooping at? Iceland, Bangkok, Los Angeles and New York. In some places, the bots outnumbered the human searchers. PerimeterX warns the travel industry that their pricing models may be seriously skewed by the bots. 

Dave Bittner: [00:12:54] And now a message from our sponsor, ObserveIT. 

Unidentified Person #1: [00:12:59] Great party, huh? 

Dave Bittner: [00:13:00] Yeah. Yeah, great party. Could you excuse me for just a moment? Hey, you. What are you doing? What? Oh, no - looks like another insider got into our systems when we weren't looking. I am going to be in so much trouble with the boss. 

Unidentified Person #2: [00:13:20] Did someone say trouble? I bet I can help. 

Dave Bittner: [00:13:23] Who are you? 

Unidentified Person #2: [00:13:23] To catch insider threats, you need complete visibility into risky user activity. Here. I'll show you how ObserveIT works. 

Dave Bittner: [00:13:31] Wow. Now I can see what happened before, during and after the incident. And I'll be able to investigate in minutes. It used to take me days to do this. 

Unidentified Person #2: [00:13:41] Exactly. Now if you'll excuse me, I think there's a cocktail over there with my name on it. 

Dave Bittner: [00:13:46] But wait, what's your name? Oh, well. Thanks, ObserveIT and whoever she is. ObserveIT enables security teams to detect a risky user activity, investigate incidents in minutes and effectively respond. Get your free trial at observeit.com/cyberwire. 

Dave Bittner: [00:14:13] And joining me once again is Emily Wilson. She's the VP of research at Terbium Labs. Emily, you and I have been talking about this report you all published recently. This is "The Next Generation Of Criminal Financing." And there were some interesting little bits and pieces, little quirks in gathering data that you discovered along the way. 

Emily Wilson: [00:14:32] There were. You know, I think we mentioned in our previous discussions about this that this is the kind of thing, how much is fraud being used to fund serious transnational crime, that you would expect someone to have some data on somewhere, right? This is the kind of thing where you might have an outdated report, but you would expect there to be some data out there. 

Emily Wilson: [00:14:51] In our case in going through and trying to collect this data using court documents from a variety of different countries and trying to find instances where we see documented issues of payment card fraud or payment fraud tied back to these crimes, we ran into a lot of gaps. There were a lot of inconsistencies in documentation, a lot of inconsistencies in language, which you might expect from country-to-country, but even within the U.S. - seeing a variety of different terms used to describe different fraud elements or even to describe things like payment cards. So the inconsistencies there made it difficult to do research. 

Emily Wilson: [00:15:25] The other major inconsistency, and this is one that I found more troubling, is the gaps in reported fraud losses. So in the report, we talk about what we were able to measure in documented fraud losses from the cases used in this study. We found more than $1 billion in documented fraud losses. And $1 billion might seem like a lot. And it is a lot of money. But that comes from a very small percentage of cases that, first of all, reported any documented fraud losses, and second of all, provided any kind of value measure for them. Some of these would say things like more than $50,000 or more than $300,000, up to $1 million. And so we're talking about a subset of a subset of cases used for just this initial study to get to a $1 billion, just because of gaps in documentation. 

Emily Wilson: [00:16:17] What that tells me is that this is actually a multi-billion dollar problem. And the fact that we don't know how many billions of dollars in credit card fraud are being used to fund terrorist groups like Hezbollah or being used to traffic minors across international borders, that's concerning. You know, there aren't any requirements about consistently documenting these fraud losses or even consistently bringing fraud charges when you're able. 

Emily Wilson: [00:16:39] We saw cases where judges openly said they weren't interested in the fraud charges. And how many cases are there that the fraud charges didn't even make it as far as official documentation? This is a huge problem. And we don't have a good way to measure it, which I think is really concerning. 

Dave Bittner: [00:16:54] And so in your estimation, what sort of solution could be created here? 

Emily Wilson: [00:16:59] There are a few different areas I think where we need to make some changes. One, of course, law enforcement is under-resourced. They are constantly dealing with budget shortages and personnel shortages. And so fraud is never going to be at the top of the list of crimes you want to go after. There are plenty of violent crimes you might want to go after. Even some of these more serious transnational crimes, things like drug trafficking, that's always going to come before fraud does. 

Emily Wilson: [00:17:26] So on the law enforcement side, I think trying to find some incentives there that, you know, we should be looking at fraud as money. We should be looking at fraud as financing. And how does that change the calculus of - you know, if you go in and bust a major drug ring, you know, you find stolen credit cards. You get them on fraud charges. But what about the transaction history for those cards? Are there patterns there that can tie back to some sort of broader ring? Are there patterns there that can tie to other activities? 

Emily Wilson: [00:17:56] That's on the law enforcement side. On the financial side, you know, the card networks like Visa and American Express, these card networks are in possession of a lot of information. They have all of the transaction data for their issuing banks. So they are really the ones here who have the aggregate data that could point to fraud trends that you might see that could flag something like organized crime, that could flag something like human trafficking. 

Emily Wilson: [00:18:23] And of course, the financial industry and the payments industry don't have specific regulation about a maximum allowable amount of fraud. The card networks do have certain requirements. Obviously, there's a lot of anti-money-laundering legislation. But when you think about some of the smaller charges that could be building up - a hotel room here, a plane ticket there - small-budget items that could be used again to fund some of the operational costs or the lifestyle costs for these groups, especially if you're spreading that out over a large number of cards, you know, how are we going to begin to identify patterns in this data unless we have something like a card network working with law enforcement and an understanding on both sides here that this fraud is being used to fund very serious crimes? 

Emily Wilson: [00:19:10] This fraud is, in effect, a national security issue. It's not just a financial issue. It's not just a nuisance. It's not just part of a bottom line where you have to worry about customer stickiness or reissuing cards or chargeback costs, right? This is funding. This is - that's one of the reasons that we named the report what we did. It's the next generation of criminal financing. 

Emily Wilson: [00:19:32] And of course, in the dark web, we see millions of stolen cards for sale. So it's very easy for people to get their hands on these cards. And then no one's asking too many questions once, you know, the fraud happens. It's more about remediation and a little bit less about investigation. 

Dave Bittner: [00:19:45] All right. Well, Emily Wilson, thanks for joining us. 

Emily Wilson: [00:19:48] Thank you. 

Dave Bittner: [00:19:53] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. 

Dave Bittner: [00:20:16:] Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.