CyberWire Daily - Marriott suffers data breach. Dunkin Donuts credential stuffing attack. Urban Massage database exposed, unsecured. Fancy Bear paws at German government targets. SamSam cost.
Episode Date: November 30, 2018In today’s podcast we hear about Marriott’s big breach. And Dunkin’ Donuts big breach. And, and, Urban Massage’s embarrassing exposure. Lessons are drawn about third-party risk, password reuse..., and the importance of being less creepy to the people you do business with. Fancy Bear shows up to paw at the phish swimming in Germany’s government. And how much did SamSam really cost people? FBI? DoJ? Is it millions or billions? In either case you’re talking about real money. Robert M. Lee from Dragos discussing the notion of IoT hot water heaters taking down the power grid. Guest is Michelle Guel from Cisco, discussing smart cities and her perspective as a pioneering woman in the industry. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_30.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. big breach and and urban massages embarrassing exposure lessons are drawn about third-party risk
password reuse and the importance of being less creepy to the people you do business with
fancy bear shows up to paw at the fish swimming in germany's government distinguished engineer
and iot security strategist from cisco michelle gell joins us and how much did SamSam really cost people? FBI? DOJ? Is it billions or billions? In either case, you're talking about real money.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 30th, 2018.
summary for Friday, November 30, 2018. Hotel chain Marriott disclosed this morning that data belonging to about 500 million guests over the last four years have been illicitly accessed.
Attackers have been in the company's Starwood guest reservation database since 2014. The brands
affected included more than just Marriott. W Hotels, St. Regis, Sheraton Hotels and Resorts,
Westin Hotels and Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio,
Les Meridien Hotels and Resorts, Four Points by Sheraton, and Design Hotels were all hit.
Starwood, acquired by Marriott in 2015, disclosed a breach affecting 50 properties
shortly after the acquisition closed, as Krebs on Security reminds readers, in the course of
giving a brief and helpful review of significant hospitality sector breaches. Most of the affected
guests, around 375 million of them, lost data that included contact information, name, address, phone number, email address, passport number, Starwood preferred guest account information, date of birth, and gender.
An undisclosed number of guests also lost pay card information, as ZDNet reports.
Theft of this sort of data, of course, opens up the possibility of some large-scale identity fraud.
We've received a lot of informed speculation from industry sources on the incident.
One Span's John Gunn thinks the impact on the victims is the most important aspect of the hack,
and he zeroes in on the theft of passport numbers.
Gunn said in an email, quote,
It is remarkably easy to request a replacement credit card from your financial institution,
and you are not responsible for fraudulent activities.
Try that with your passport, end quote.
Bromium's Sherbin Naum commented, quote,
After a four-year long-term stay in the Starwood Hotel database, the hackers finally checked out and with more than complimentary bathrobes. End quote. He notes that the hackers were apparently quietly present
in the hotel chain systems for at least four years,
and that this patient persistence is increasingly characteristic
of the more damaging sorts of criminal activity.
Another breach in the hospitality industry hit Dunkin' Donuts,
which sustained a credential stuffing attack
that yielded details of customers' DD Perks loyalty accounts.
The hackers didn't compromise Dunkin' Donuts' own systems,
but merely tried credentials they'd gained in other unrelated attacks on various third parties.
Dunkin' Donuts did indeed share customer information with some third parties,
in accordance with its terms of service, and one of those was the source of the breach.
Dunkin' Donuts discovered the issue at the end of October
and strongly urged that its customers reset their passwords
and not reuse them across different accounts.
Why steal donut shop loyalty points?
No, it's not because skids are out there jonesing for a donut Bavarian cream-filled
or even some marbled frosted.
Instead, the crooks are selling the points to those who are.
There's a brisk black market trade in all varieties of loyalty points on the dark web,
and D.D. Perk's points have been a staple in the markets for some time.
As Motherboard puts it, after doing some window shopping, the points can be had dirt cheap.
So this is a petty crime sort of hack, and if the criminals
make a pile doing it, their secret will be volume. Not quite hospitality perhaps, but London-based
Urban Massages booking app was apparently not protected by any sort of password at all,
and the Elastisearch skinny on some 300,000 plus, was left out there exposed to inspection by a Shodan search.
The good news is that there weren't paycard data among the exposures.
The bad news is that employee comments about the customers,
including complaints about behavior the blue stockings over at TechCrunch
sniffishly called creepy,
well, those were out there too.
But if you've recently booked a massage into a Marriott property
while enjoying a chocolate-frosted donut and a medium coffee,
check your wallet.
We're just saying.
Fancy Bear is making another run at German lawmakers.
Spiegel is reporting that Snake, another name for APT28,
also known, of course, as Fancy Bear,
is fishing targets in the Bundestag and
Bundeswehr and various embassies. The evident goal is espionage. Snake, APT-28, Fancy Bear,
remember, they're all variant names for a hacking crew out of Russia's GRU.
Finally, the losses to SamSam ransomware and the costs in recovery and remediation it imposed were surely disturbingly high.
The FBI's statement pegged it at $30 b-b-billion with a B.
The Department of Justice indictment said $30 m-m-million with an M.
In either case, it's a lot, and what's three orders of magnitude between Maine Justice and the J. Edgar Hoover Building? isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
I'm pleased to be joined once again by Robert M. Lee. He's the CEO at Dragos.
Rob, we had a story come by from Andy Greenberg from Wired. This was how hacked water heaters
could trigger mass blackouts. So an IoT threat that could cause the grid to go down.
What's your take here?
Yeah, I think this is...
I'm going to try to position multiple aspects.
I'm going to position, first and foremost,
I've worked with Andy before.
He's usually a really nuanced journalist
and he tries to capture the story correctly.
So right off the bat,
when I hear it's Andy
and I look at this article,
I read the title,
I'm like, oh crap, here we go. And then I, I read the title. I'm like, oh, crap.
Here we go.
And then I read the reporter's name.
I'm like, ah, there might be something to it.
And in all of these discussions, the positive thing I'll say, because I think I come on the show and he was asking these questions where I'm like the skeptic.
I have a lot of positive things to say, too.
So the positive thing I'll say about the story is the interconnectivity of our IoT-type devices in the home as well as the
industrial Internet of Things so your robot arms your smart meters your
various interconnected components that haven't been traditionally connected of
industrial environment but the interconnectivity of both of those is
very interesting and introduces a risk that has not been fully appreciated.
And we even see this in places like gas pipelines and oil refinery and manufacturing,
where cloud-based applications are starting to get access directly to sensors and various components of industrial automation in a way that they've never been accessed before,
and introduces risk from a cyber resilience as well as cyber threats component
that hasn't been fully appreciated. So on the backdrop, this is all a discussion that's good
to have. And we should be talking about it and trying to figure out where the risk is.
On the other hand, I'm never a big fan of the highlights of,
hey, here's a real problem. We should look into it
or we're all going to die. That's where the story generally goes of like, whoa, man, there's a gap.
There's a whole big gap. And so the water heater discussion and Ben Miller, our director of threat
operations that was in the story and quoted as saying that the size required of the botnet to be able to do
that out of these components is not available today. There's not enough of the smart water
feeders in this story, as an example, to have any necessary impact on grid operations or reliability
of the grid based on the size and scope of the problem today. However, that's not to say,
oh, well, as it expands, we will.
Well, no, as things expand,
there will also be other considerations.
And where a lot of these stories fall a little flat
is they're great about identifying some risk,
but they're not already aware
of the compensating controls in place today.
There's another similar story that came out
a couple months ago.
There was a really good paper by some researchers
that looked at smart sprinkler systems and said,
look, you could hack one of these gateways
and turn all the sprinkler systems on
and empty a city's reservoir within a couple hours.
And so on its surface, so many things are technically true.
They dug into it, they looked into it,
they measured the flow rates of the sprinkler systems, how much water would have to be in there. All these things are technically true. They dug into it, they looked into it, they measured the flow rates,
the sprinkler systems, how much water had to be in there. All these things are technically accurate
on what you could do from a technology standpoint, but aren't necessarily accurate on what could
happen considering everything else. As an example, any water engineer or operator sitting there at
your utility, your local water utility, is not going to watch their reservoir empty
and be like, oh man, that's super weird.
They're going to take actions.
If the system itself doesn't take actions, which there are safeguards put into the systems
themselves, so even if the system itself doesn't just trip and go, yeah, that's too much flow
going out, we're going to throw an alarm and take some action to the system, which is more
likely to happen, then your human operator will be like, yeah, something's wrong. Turn off that line.
And so the same discussion with this water heater discussion of a botnet, a sufficiently
sized botnet that would have to occur would first have to go completely undetected. Botnets
are usually pretty noisy. Everybody would have to miss this. And let's just say that
that all happens. Then by the time it actually starts doing something,
then you've got disconnects that could be put into place.
You know, your electric grid operators are used to,
I mean, it's not necessarily a good thing to do,
but they're used to having to shuffle power around
in adverse situations.
Like maybe a facility that they were expecting,
like a cogen facility,
they were expecting power out of this morning, had a failure. So they have to pull generation
from another portion or there's some faults on the lines. They've got to usher power around.
I mean, they're used to moving electricity around.
Even, I mean, I think about high demand days for things like air conditioning,
where they'll have rolling brownouts.
Exactly. I mean, so it's technical accuracy is possible one day, but it's just not realistic
given all of the other considerations. You have to remove all security considerations. You have
to remove all human considerations. You have to remove all system considerations. And you basically create this isolated lab environment where something like that's possible.
And so it's important to talk about it.
And it's also important to have this conversation and go, well, what of our safeguards would help us with this situation?
Like, oh, these things.
Oh, cool.
Those are important.
So make sure we don't take those out.
You know, it's important to have these conversations.
And I think the dialogue is good.
But freaking out to come of it, like, oh, my gosh, smart heater, smart water heater. Take down the grid. Like, no, dude, it's important to have these conversations and I think the dialogue is good, but freaking out to come of it, it'd be like, oh my gosh, smart heater,
smart, smart water heater, take down the grid. Like, no dude, it's fine.
And so I think that's more of the point.
All right. Well, Rob Lee, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
My guest today is Michelle Gell.
She's a distinguished engineer and IoT security strategist at Cisco, with over 30 years in the industry.
We started our conversation discussing the work she's done with IoT devices in smart cities.
There's a lot of interest.
There's a lot of great potential for cities to use IoT infrastructure to provide, say, early warning system for
floods, which is something that's been done in Texas and Mexico to help make better use
of resources that are scarce, whether it's power, whether it's water, to better protect
the city, provide more convenient traffic flow.
So I think there's a lot of potential,
and cities do need to implement that type of automation
to improve the overall management of their city,
but there are definitely some challenges in general with,
I'll just call them IoT ecosystems.
Can we touch on some of the privacy issues there?
How do you make sure that when these systems are going
online, that they're also respecting the citizen's ability to maintain their privacy?
Yeah. So that's one of the bigger issues that come up. The Smart City program that I was on
last year, actually for about 18 months, was in Europe, more specifically in London.
So one of the actions they took, and I wasn't part of this because I'm in the U.S. and it was in London, they had a very focused group that they spun up initially
that was all around the privacy in terms of understanding what data was going to be collected.
Did the citizens had an opportunity to opt in where possible.
Like one example would be one of the use cases they ran was,
I'm not sure what the official name,
but it was essentially an early warning system
and health management system for people with asthma.
And so they had smart inhalers.
And they would get alerts on their mobile phone
when there was air quality
or there was a lot of port activity coming in because they always knew the pollution was higher
when the transport ships come in. So they would get an early warning and the recommendation might
be to use their smart inhaler. So there was potentially personal information, but they were
opting in like, I'm going to participate in this smart health monitoring.
Therefore, I know that they have my inhaler numbers registered to a user number assigned to me, and my doctor knows what that is.
So they approached it from the beginning of designing that solution what needs to happen. There are other incidental
privacy, I'll call them privacy violations in my personal view, that happen that is one of the
things that I brought up. For example, you have a smart city implementation with like a video,
an interactive video wall where the citizens can come in this
big building and then they can, you know, it's like the multi-screens and they can click on
the screen and maybe they want to see what tourist activities and they can click on another screen
and see news. Well, there's another camera that's monitoring the video board. And so when they walk
in the building, do they know that there's another camera that's capturing them or perhaps a camera that's actually seeing people that aren't even
interacting with the board? So you have that sort of incidental, maybe it's not necessarily
personal privacy information, but if I didn't know I was going to be on the camera when I walked by,
do I know that? So there are challenges with smart city implementations, and privacy is paramount.
But in the connected world, I would say the industry as a whole is still learning and maturing what approaches need to be taken to ensure that all these sensor-enabled devices that are capturing various information. Maybe a single device is not capturing personal information, but say in my
ecosystem in my house or the way I interact with the world across the day, there's a lot of
different data. And if you combine that, the combination of all the data may reveal more
about me than I understand and may not be aware of. So it's not in individual sensors to look at. We also have
to look about how the data is combined and look at that. And the industry as a whole has a lot
of maturity that's needed in that area. I want to talk some about your role as a
pioneer in the industry, and particularly as a pioneering woman in the industry.
I'm wondering, what's your perspective been coming up through this industry that is certainly male-dominated?
What have you seen, and how do you feel like things have been recently?
Well, I do know in the early days, I do get asked this question quite a bit.
I never really stopped and thought, like, hey, I'm the only girl in the room.
I think it was just more of an expected, because it was the late 80s.
It was still way more male-dominated And it was just more of an expected because it was the late 80s, right? It was still
way more male dominated than it was now. But even through the 90s, there just wasn't an industry
standard focus on it. And then it became more like, wow, there's just not very many of us in here.
And you didn't really hear about any focused activities. I think the first sort of aha moment I had with some other women is typically when women go to a security conference or any kind of technical conference, but my experience, security conferences, you could sit in a room with 1,000 people or a couple hundred people.
You could look around and count.
You could see that there wasn't very many women.
But this one conference was a SANS conference.
We went to the ladies' room at break, and there was actually a line. We all kind of looked at
each other like, wow, there's enough of us that there's a line. We haven't seen that before.
And so I always tell people that was sort of like an aha moment, like, wow,
we have enough women in the room, there's a line. And so then you began to see organizations
have more of a focus. What I have learned and
more of the industry is coming to an awareness about is we really need to reach the youth in
middle school because that's when they're starting to make their decision about what I want to be
when I grow up. And if they don't know that cybersecurity is an opportunity, and most often
they don't, then it's not even on their radar. They may learn
about it later, but if we can get the word out at an earlier age, there's a lot of great
opportunities in this field. There's a high need. And then being able to demonstrate that it's an
exciting industry. Women like to save the world. They like to help people. And phrasing it from,
what are the things that you can do with
a cybersecurity background that makes an impact in the world? How can you help a financial
institution be secure? How can you help in the medical field? How can you secure a smart city
so that city can make efficient uses of its resources and be secure. So that's the way I feel and growing numbers of people feel in the industry
that we need to have the messaging to the younger generation
so they see it as a great opportunity and they find it exciting
and then help them with skills and understanding like,
okay, there's still going to be a lot of guys.
You may be the only girl in your cybersecurity group at school,
but keep going, you know, be bold, be brave, step out and just go for it because there's
great opportunity. That's Michelle Gell from Cisco.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.