CyberWire Daily - Multibreach via chat app. OceanLotus notes. Mirai vs. Banks. Energetic Bear vs. Switches. Russia warns Britain against provocation. DataTribe finalists.
Episode Date: April 6, 2018In today's podcast we hear that a breach in several companies' consumer-facing systems is attributed to a third-party chat vendor. Crooks are tampering with chipped debit cards. Ocean Lotus is back, ...with a MacOS backdoor. A Mirai variant was used against banks earlier this year. Energetic Bear may be exploiting misconfigured switches. Microsoft looks into Office 360 outages. Russia warns Britain against playing with fire. And three cyber startups are DataTribe finalists. Johannes Ullrich from SANS and the ISC Stormcast podcast, on API security. Guest is Jimmy Heschl, head of digital security at Red Bull, discussing the challenges of securing a global brand. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A breach in several companies' consumer-facing systems
is attributed to a third-party chat vendor.
Crooks are tampering with chip debit cards.
Ocean Lotus is back with a macOS backdoor.
A Mirai variant was used against banks earlier this year.
Energetic Bear may be exploiting misconfigured switches.
Microsoft looks into Office 360 outages.
Russia warns Britain against playing with fire.
And three cyber startups are DataTribe finalists.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, April 6, 2018.
Earlier this week, an issue with the IT supply chain hit pipeline operators.
Yesterday, there was another third-party breach disclosed that affected a major airline and a major retailer, and several other
companies as well. Delta Airlines and Sears both said that hundreds of thousands of customers'
personal information was exposed through an online chat service they used for customer support.
The chat service was provided by Silicon Valley firm 247AI. That company said in a statement, quote, 247AI discovered and contained
an incident potentially affecting the online customer payment information of a small number
of our client companies and affected clients have been notified. The incident began on September 26
and was discovered and contained on October 12, 2017. We have notified law enforcement and are
cooperating fully
to ensure the protection of our clients and their customers' online safety.
We are confident that the platform is secure,
and we are working diligently with our clients
to determine if any of their customer information was accessed.
Sears said in an announcement dated Wednesday
that 247 AI notified them of the breach in mid-March.
Delta was more specific in its statement, saying they were notified last week on March 28th.
Both companies said that they'd been taking steps to contain the damage since they were notified.
Other companies were also affected, Best Buy among them, and no doubt others will come to light soon.
Nick Biligorski, cybersecurity strategist at Juniper Networks, pointed out that the
companies named as having suffered loss of customer data in the incident weren't themselves
breached.
It was a third-party breach that hit them via a vendor.
Biligorski said, quote, third parties have been the vector of attack in many high-profile
breaches, and I anticipate this trend will continue.
In recent years, 63% of breaches were traced to third-party vendors,
according to the SOHA Systems Survey on Third-Party Risk Management.
If a hacker can breach a company and pretend to be a legitimate vendor,
they may have full access to a company's network for months,
plenty of time to monetize their attack.
Monir Hahad, head of Juniper Threat Labs, thinks it possible that there may be a systemic
issue here.
He said, quote, it is important to understand that this breach is different from some past
breaches, such as Target, where the third-party vendor was a vehicle for an intrusion into
the final victim's own network, end quote.
Both Viligorsky and Hahad agree that businesses need to think in
terms of the security of their vendor supply chain. As Haad noted, quote, at the end of the day,
it's companies like Delta Air and Sears that end up in the news, not so much the third-party vendor,
end quote. The U.S. Secret Service has warned banks that chipped corporate debit cards are
being tampered with by criminals. They intercept new cards in the mail, tamper with their chip, and then send them
on to their ultimate corporate users. It appears the operation works like this. Once the crooks
take the card from the mail, they heat it to melt the glue holding the chip, then they replace the
new card's chip with an older one they have, and then put the new chip into an older card.
The new card with the older chip is then put back into the mail. When the company gets the card,
they'll activate it, but in the meantime, the criminals can make purchases and steal funds
using the new chip they retained. How the criminals get to the mail is unclear. It may be a postal
service inside job, or perhaps the crooks are just keeping an eye on corporate mailboxes.
New activity by the Ocean Lotus threat group is being observed.
Security company Trend Micro has detected a new macOS backdoor being used against an array of human rights groups.
Ocean Lotus is believed to operate on behalf of the government of Vietnam.
The infection vector is thought to be a malicious Word document
distributed by phishing emails.
Security intelligence firm Recorded Future says a Mirai variant
has been responsible for attacks on European financial institutions earlier this year.
Cisco's Talos security research unit thinks it knows how energetic bear
has been gaining access to systems
associated with the U.S. power grid. Talos believes the Russian threat actor that U.S.
CERT warned about is getting in by taking advantage of misconfigured Cisco switches.
Microsoft is working to find what caused the widespread Office 360 outages being experienced
across Europe today. The problem appears to be accidental, probably a glitch and not an attack,
but investigation is in progress.
Facebook CEO Zuckerberg will testify before two U.S. Senate committees next week,
the day before he appears in the House.
On April 10th, he'll answer questions from the Senate Judiciary and Commerce committees.
Russia warns the U.K. that if it continues to accuse Russia of things like the Salisbury
nerve agent attacks, Russia will take appropriate measures.
Britain, Moscow says, is playing with fire.
That fire is widely expected in the West to take the form of stepped-up cyber attacks,
at least initially.
And finally, in what for us is local news, since these guys are just on the other side
of the floor from us, Datatribe has announced the three finalists in its $2 million cyber
funding competition.
Out of almost 100 applicants, the finalists are CyberCon, which combines machine learning
with the ability to comb some of the most restricted parts of the internet to deliver
timely and active predictions that help its customers become proactive about security.
Imogen, a unique sensor platform company that combines hardware, software, and smart imaging technology
that has the potential to save billions of dollars in the autonomous vehicle, drone, transportation,
industrial, and commercial satellite industries.
vehicle, drone, transportation, industrial and commercial satellite industries.
And InertialSense, offering miniaturized high-performance GPS inertial navigation,
attitude heading reference and inertial measurement sensor systems for the smallest, most accurate and cheapest sensor platforms available in the world today.
These three will share a $20,000 prize, and on the 25th of April,
DataTribe will announce the winner, who will take home $2 million in seed funding.
Good luck to them all.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Johannes Ulrich. He is from the SANS Technology
Institute, and he's also the host of the ISC Stormcast podcast.
Johannes, welcome back.
You had some tips today you wanted to share about API security.
What do we need to know here?
Yeah, what I really see lately when I'm talking to developers or when I'm teaching our web application security class is that most web applications today are written as APIs, as application programming interfaces.
So what you do is you write an API, and then you write a modern web application that accesses it,
or maybe a mobile application that accesses that API.
Whenever developers, or anybody for that matter, jump sort of on these new technologies,
or anybody for that matter, jump sort of on these new technologies, they sadly tend to forget sort of the basics that have always been true and are still true for these APIs. So for example,
what I'm seeing here a lot is protection against brute forcing, where you have an API, for example,
I saw this recently, that allows you to reset a password and then they sort
of did the right thing. They use sort of a one-time password via SMS messages that the user had to use
to acknowledge that they want to reset their password. Well, there was no brute force protection
here. So it's not really all that hard to write a little script that tries all these five-digit
numbers that they're going to send you and essentially brute force the reset for any
password. So these are some of the simple things, but it continues with cross-site scripting,
SQL injection, all of these old basic vulnerabilities. They're coming back now
and just sort of wrapped in this new technology.
So in the case you just described, is it a matter of limiting the number of attempts that someone
can make over a given period of time? Yes, this would be a defense here or just limit the number
of attempts period. So if you reset your password and then I sent you this reset code. I'll only accept three, four, or five different codes
before I make you request a new code.
So this would be a simple fix there.
This is something that people commonly do
and have done for a long time for traditional web applications.
But then again, they sort of forget that these APIs
that are often accessed sort of by these fairly obscure and hard to sort
of reverse pieces of client-side script, that they're as vulnerable as your good old input
form was on a web application. So why do you suppose this is being overlooked? Is this a
matter of people being in a hurry or cutting and pasting or simply negligence or just overlooking it?
I think it's just overlooking it a little bit.
They sort of assume that these APIs or web services are often used to talk to other web services.
They don't really sort of take into account that a user sort of or a human can sort of inject themselves
and pretend to be a web service or this application that's
talking to your API here. The way I always put it, just because you assume that machines talk
to machines, well, not all machines are good. You just have to watch Terminator and see where it can
go with the machines. All right. It's quite a metaphor there, Johannes. As always, thanks for
joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
My guest today is Jimmy Heschel. He's the head of digital security at Red Bull,
the global energy drink company headquartered in Austria.
They sell over six billion cans of energy drink a year around the world,
and Jimmy Heschel is responsible for making sure the company and its customers' data are protected.
So my accountability is to make sure that whatever we do at Red Bull on a global scale
is done in a secure way. That means all information technology, all data privacy,
all these things need to be done in a proper way and in a proper manner.
And can you give us an idea of the range of areas that covers? I mean,
obviously you have employees, you have manufacturing, you have consumer facing things.
Yeah, we have several consumer facingfacing areas, websites and communities.
We have and we've got our core business, which is Energy Drinks, which is available in 167 countries around the globe.
We've got a user base of around 10,000, 11,000 internal accounts and devices plus mobile devices.
So that doubles the figures and numbers.
And it's a total footprint of social media followers and all of that of around 100 million people.
And so how do you set your priorities?
How do you delegate with your team for how you handle the various security challenges that you face?
That's three things. One is a management of the capabilities where we defined the usual things
you should have in place based on frameworks and standards like COVID. The second one is what I
call the architecture, which is the enablers of COVID. So which tools, which organizations, which skill sets do we have?
And the third driver for the priorities is a set of risks we're facing.
Online risks, offline risks, all the things.
And the combination of those three things then drive the priorities.
And so what currently are the things that are on your radar?
What do you see as being the big threats that you have to face?
The big threats is always the disgruntled employees, disgruntled partners,
vendor login and cloud services, for example.
That's really driving us and, of course, the ever-growing market of the online adversaries.
So cryptocurrencies and those things that not normally, but via trillions and other things come to our endpoints and devices.
And steal either computing power or in the worst case, ask for ransom.
Have you had to face those sorts of challenges specifically?
Have you had to deal with things like ransomware?
Yes, we had some occasions of ransomware up to one and a half years ago.
Total number of 150 devices that were encrypted.
All single instances, so no broad encryption.
Every single infection is one too much.
Now, when you're communicating the challenges that you face to your board,
to the people who have hired you,
how do you handle that translation of the technical side of things to managing risk?
That's a complicated thing, and I'm not very successful in that.
Because I try to translate it in in
business terms but a company like us is not is not very much driven by uh the clear facts and
figures as a bank would be uh and the kpis and the kris like in in basel 2 or other things uh
it's more the likelihood of an impact to our uh to our whole business and to the way we conduct
our business. And it's more about telling stories and telling things what could go wrong, what went
wrong at other companies, and how we need to make sure that we protect ourselves in an appropriate
way. How are you going to be affected by GDPR coming online at the end of May?
Not that much anymore.
So we've been affected a lot, of course, with our digital footprint
and also collecting, of course, and having the duty of protecting that information of the footprint.
So many of our consumers trust us and we need to absolutely
align that trust with the capabilities we have in place. So for me, GDPR is not a legal requirement.
It's a question of honesty and to be diligent with what you have and all the data you have from your stakeholders and constituents.
So from now on, I can sleep really well with the GDPR requirements.
I think we did our homework.
No big issue up until May.
How do you deal with the fact that Red Bull being a global brand,
you have to deal with regulations and requirements that vary from country to country
and even state to state. Yeah, compliance requirements different from various regions
and countries and regulators. But luckily, we are not primarily driven by compliance requirements
as a bank or an insurance company would be. So we are more driven by curiosity and flexibility and enterprise and business growth.
Yeah, it seems like Red Bull is such a strong brand and you have such strong brand loyalty
that I guess one of the main risks you face is reputational damage.
If you were to have some sort of major cyber-related breach,
that's where you could be hit the hardest, and that's a tough thing to measure.
Absolutely, and whenever you come up with a metric for that, related breach, that's where you could be hit the hardest. And that's a tough thing to measure.
Absolutely. And whenever you come up with a metric for that, that metric might be a lie or unrealistic. So I'm not trying to sell risk or fear, uncertainty and doubt throughout the company.
It's really more about the story and making informed decisions and aware decisions that, yeah, things can go wrong.
And it's very likely that things will go wrong sooner or later.
But it's our duty to make sure that we are resilient enough that whenever things go wrong, we are not harmed.
That's Jimmy Heschel from Red Bull.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wireire Pro. It'll
save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire
podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire
team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here
tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.