CyberWire Daily - Capital One investigation update. Don’t give up on the cloud. Exposed databases and backdoors. Cybercrime as high-stakes poker. Phishing the financials. Bots on holiday.
Episode Date: August 1, 2019Investigators pursue the possibility that the alleged Capital One hacker might have hit other companies’ data. An exposed ElastiSearch database, now secured, was found at Honda Motors. Data from bea...uty retailer Sephora are found on the dark web. Defenders are urged to think of themselves as in a poker game with the opposition. Phishing remains the biggest threat to financial services. And what vacation spots attract the eyes of bots? Emily Wilson from Terbium Labs with more details from their recent fraud and international crime report. Guest is Giovanni Vigna from Lastline with thoughts on the upcoming Black Hat conference. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/August/CyberWire_2019_08_01.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Investigators pursue the possibility that the alleged Capital One hacker
might have hid other companies' data.
An exposed Elastisearch database, now
secured, was found at Honda Motors. Data from beauty retailer Sephora are found on the dark web.
Defenders are urged to think of themselves as in a poker game with the opposition.
Phishing remains the biggest threat to financial services.
And what vacation spots attract the eyes of bots?
And what vacation spots attract the eyes of bots?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, August 1st, 2019.
Investigation into the possibility that the alleged Capital One hacker hit other enterprises, continues. According to Computing, however,
Amazon says it's found no evidence that the organizations mentioned by Paige Thompson,
who went by the name Erratic, were actually compromised.
The FBI is sorting it out, the Wall Street Journal reports.
Not all the possible victims are in the U.S.
Discussing the Capital One breach,
Duo Security says that people should
not draw the conclusion that the cloud is somehow inherently less secure. Regular, reliable patching
and updating alone represent an advantage, as does the broad view of threat activity cloud
providers offer. But moving to the cloud does involve change, and that inevitably involves
rethinking security. Old processes and protocols can't simply be assumed adequate in their new environment.
In an unrelated compromise that illustrates the hazards of mistakenly configured databases,
an unsecured Honda Motors Elastisearch database has been found by Cloudflare researchers.
The exposed information is said to contain some 134 million documents
with 40 gigabytes of information on about 300,000 Honda employees worldwide.
The information of most concern wasn't the personally identifiable information about employees,
although there was enough of that, mostly credentials,
but rather detailed information about the endpoint devices
on Honda's networks. This included such information as their patch status, the nature of the protections,
if any, in place on them, and their regular users. That information could have been used
by an attacker to identify both weak points and high-value targets. The data were exposed for some six days, at which point Honda, warned by the researchers,
secured it.
The automobile manufacturer found no signs that anyone other than the researchers had
accessed it, so perhaps Honda dodged a bullet on this one.
The Straits Times discusses what appears to be a major breach at beauty retailer Sephora.
Group IB has found two databases circulating in dark web markets.
Combined, the two databases hold about 3.7 million records.
These don't contain either payment information or plain text passwords,
but Group IB says the compromised data could be exploited for social engineering.
There's another case that seems to be the work of a genuine malicious insider,
in this case someone whom Bleeping Computer calls a disgruntled admin.
Club Penguin Rewritten, a multiplayer online game intended for players between the ages of 6 and 14 or so,
began to leak email addresses, usernames, and passwords belonging to players of the game.
The leak came through a back door thought to have been installed and left open by an administrator who departed the company with a grudge.
Carbon Black announces what they call the Cognitive Attack Loop.
They view it as an improvement over Lockheed Martin's familiar Cyber Kill Chain
and of the similar model offered last year by MITRE.
In Lockheed Martin's model, the kill chain describes a process in which attackers moved
from reconnaissance, then to weaponization, on to delivery, then exploitation, to installation,
to command and control, and finally on to actions and objectives. MITRE last year offered an
alternative version.
In that model, attackers begin by establishing initial access,
then move to execution, then persistence, escalation, evasion,
credential discovery, lateral movement, collection, exfiltration,
and finally, command and control.
Where these models' organizing metaphor was engaging a target, Carbon Black asks us to imagine that we're playing poker,
estimating probabilities and taking advantage of whatever you could see in the opponent's eyes.
A look at their hand would be good too, but of course you can't count on that.
We note that this is a pretty adversarial form of poker,
not just a few friends playing Texas Hold'em or High Chicago.
Carbon Black's view of the cognitive attack loop seems to emphasize the way criminals think.
Their look under the proverbial hoodie leads them to see a characteristic criminal three-step.
First, reconnaissance and infiltration. Second, maintenance and manipulation. And third,
execution and exfiltration. The organizing metaphor is robbery.
At each step, Carbon Black is convinced,
the cybercriminal exhibits some characteristic behavior.
Understanding that, they argue, gives the defender an edge.
It's that time of year when folks are packing their bags and their sunscreen
to head out to Las Vegas for Black Hat and DEF CON.
Giovanni Vigna is CTO at Lastline and also a professor of computer science at the University of California at Santa Barbara,
and he offers these insights.
Well, I think that Black Hat is somewhat different from other meetings like RSA or InfoSec Security in Europe.
meetings like RSA or InfoSec security in Europe. Black Hat is more for people in the trenches,
people that want to understand the current technical trends. I found, maybe it's my experience, but I found that the people that attend Black Hat are a lot more involved in the day-to-day operation of securing networks, either as a solution provider
or as somebody in the actual trenches. And therefore, the conversation is often very technical.
And what do you suppose is the benefit of being able to have those conversations face-to-face?
those conversations face to face? It gives you an unfiltered input on what are important aspects of the security problems. For example, while a top executive might be more concerned about how
a certain solution allows him or her to report upwards about what a solution has done, somebody in the trenches might be more
interested in how they can shorten the time to remediation. So, for example, and I'm talking
generically, you know, somebody sees a problem, a security problem, how fast they can handle the
problem and find a solution to it. Those conversations oftentimes have driven our design
or my understanding of how people use a specific solution.
So what are your expectations going into this year's Black Hat?
I think that one thing that I've noticed, there is a lot of talking about the cyber security
workforce. This has been a big problem since day one. We
don't have enough people doing the job. We feel the pressure. I'm sure that every company has
problems hiring and retaining good people. For some reason, I've seen more of this. And so I'm
curious to see what the vibe is out there in terms of what companies are
doing in order to recruit, to attract talent. And since Black Hat is more, you know, technical
oriented, actually, that's the right place to have that discussion. So from that point of view,
that's what I'm looking for. On a more technical
solution point of view, I'm looking forward to see what are the next wave of interesting
technologies. We had the huge artificial intelligence, machine learning push, and now
we are moving more towards the network traffic analytics and visibility and almost like, you know, the resurgence of network detection.
And I am not using IDS on purpose because a lot of people, you know, consider that problem a solved problem, a commoditized solution.
But guess what? We're back to, you know, those good old days of network
detection. What sort of recommendations or tips do you have for someone who may be heading out
to Black Hat for the first time? Talk to people, especially informal setting. I find that these
kind of settings where you're just, you know, having a drink or, you know, talking around the
kind of settings where you're just having a drink or talking around the proverbial water cooler are very informative, more than the discussion at the specific booth of a specific company.
And so I found these gatherings to be very good. And even, I would say, stay for DEF CON,
to be very good.
And even, I would say,
stay for DEF CON,
the follow-up hacking convention that sometimes has
even more interesting content
than Black Hat.
That's Giovanni Vigna
from Lastline.
Akamai's latest
State of the Internet report
concludes that phishing
remains the biggest threat
to financial services firms
and their customers.
A study by ExpressVPN finds that less than 20% of people actually read the terms of service before they go ahead and click yes, okay, got it, or some variation thereof.
That's less than one in five.
but maybe people should close-read those every now and then,
lest they find themselves agreeing to hold Company X harmless in the event that Company X should sell, lose, or take advantage of their data
in some unjust way.
And finally, we are now in the dog days of the Northern Hemisphere's summer,
and vacation travel is on many people's minds.
It's on the mind of the bots, too, or at least their masters,
according to a study posted yesterday
by security firm PerimeterX.
In this case, they're not necessarily
attacking or malicious bots,
but rather bots used by companies
in the travel sector
to gather information about markets
and interests that can guide their decisions
about pricing and inventory.
Airports are of particular interest.
So what destinations are the bots snooping at?
Iceland, Bangkok, Los Angeles, and New York.
In some places, the bots outnumbered the human searchers.
Perimeter X warns the travel industry that their pricing models may be seriously skewed
by the bots.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Emily Wilson. She's the VP of Research at Terbium Labs.
Emily, you and I have been talking about this report you all published recently.
This is the next generation of criminal financing.
And there were some interesting little bits and pieces, little quirks in gathering data that you discovered along the way.
There were. about this, that this is the kind of thing, how much is fraud being used to fund serious
transnational crime, that you would expect someone to have some data on somewhere, right?
This is the kind of thing where you might have an outdated report, but you would expect
there to be some data out there.
In our case, in going through and trying to collect this data using court documents from
a variety of different countries and trying to find instances where we see documented issues
of payment card fraud or payment fraud tied back to these crimes, we ran into a lot of gaps.
There were a lot of inconsistencies in documentation, a lot of inconsistencies in
language, which you might expect from country to country, but even within the U.S., seeing a
variety of different terms used to describe different fraud elements or even to describe things like payment cards.
So the inconsistencies there made it difficult to do research.
The other major inconsistency, and this is one that I found more troubling, is the gaps in reported fraud losses.
So in the report, we talk about what we were able to measure in documented fraud losses from the cases used in this study,
we found more than a billion dollars in documented fraud losses. And a billion dollars might seem
like a lot, and it is a lot of money, but that comes from a very small percentage of cases that,
first of all, reported any documented fraud losses, and second of all, provided any kind
of value measure for them. Some of these would say things like
more than $50,000 or more than $300,000, up to a million dollars. And so we're talking about a
subset of a subset of cases used for just this initial study to get to a billion dollars just
because of gaps in documentation. What that tells me is that this is actually a multi-billion dollar problem. And the fact that we don't know how many billions of dollars in credit
card fraud are being used to fund terrorist groups like Hezbollah or being used to traffic
minors across international borders, that's concerning. There aren't any requirements
about consistently documenting these fraud losses or even consistently bringing fraud
charges when you're able. We saw cases where judges openly said they weren't interested in the fraud charges.
And how many cases are there that the fraud charges didn't even make it as far as official
documentation? This is a huge problem and we don't have a good way to measure it, which I think is
really concerning. And so in your estimation, what sort of solution could be created here?
There are a few different areas i think where
we need to make some changes one of course law enforcement is under resourced they are constantly
dealing with budget shortages and personnel shortages and so fraud is never going to be at
the top of the list of crimes you want to go after there are plenty of violent crimes you might want
to go after even some of these more serious transnational crimes, things like drug trafficking,
that's always going to come before fraud does. So on the law enforcement side, I think trying to
find some incentives there that, you know, we should be looking at fraud as money. We should
be looking at fraud as financing. And how does that change the calculus of, you know, if you go
in and bust a major drug
ring, you know, you find stolen credit cards, you get them on fraud charges. But what about the
transaction history for those cards? Are there patterns there that can tie back to some sort of
broader ring? Are there patterns there that can tie to other activities? That's in the law
enforcement side. On the financial side, you know, the card networks like Visa and American Express, these card networks are in possession of a lot of information. They have all of the transaction data for their issuing banks. could point to fraud trends that you might see that could flag something like organized crime,
that could flag something like human trafficking. And of course, the financial industry and the
payments industry don't have specific regulation about a maximum allowable amount of fraud.
The card networks do have certain requirements. Obviously, there's a lot of anti-money laundering
legislation. But when you think about some of the smaller charges that could be building up, a hotel room here, a plane ticket there, small budget items
that could be used, again, to fund some of the operational cost or the lifestyle cost for these
groups, especially if you're spreading that out over a large number of cards, you know, how are
we going to begin to identify patterns in this data unless we have something like a card network working with law enforcement and an understanding on both sides here that
this fraud is being used to fund very serious crimes.
This fraud is, in effect, a national security issue.
It's not just a financial issue.
It's not just a nuisance.
It's not just part of a bottom line where you have to worry about customer stickiness
or reissuing cards or chargeback costs, right? This is funding. That's one of the reasons that
we named the report what we did. It's the next generation of criminal financing. And of course,
in the dark web, we see millions of stolen cards for sale. So it's very easy for people to get
their hands on these cards. And then no one's asking too many questions once the fraud happens.
It's more about remediation and a little bit less about investigation.
All right. Well, Emily Wilson, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too. The CyberWire podcast is
proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol
Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.