CyberWire Daily - Perils of paycards, as Cyber Weekend approacheth. Tessa88 is identified. Many more people than before have now heard of High Tail Hall.
Episode Date: November 21, 2018In today’s podcast, we hear that Amazon has offered customers a modified, limited hangout on some kind of data exposure. The online retailer says everything’s OK, but it hasn’t said much else.... Facebook is back online—yesterday’s outage attributed to a server misconfiguration. Shoppers and retailers prepare for Cyber Weekend. Tessa88, the dark web data hawker, may have been identified. Cyber espionage continues. And there’s been another breach in what we’ve curiously agreed to call an “adult” site. David Dufour from Webroot on the pros and cons of open source code. Guest is Andrew Kling from Schneider Electric with an update on Triton malware. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_21.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Amazon offers customers a limited alert of some kind of data exposure.
Facebook is back online.
Shoppers and retailers prepare for cyber weekend.
Tessa 88, the dark web data hawker, may have been identified.
Cyber espionage continues.
We've got a look back at Triton malware with Schneider Electric's Andy Kling.
And there's been another breach in what we've curiously agreed to call an adult site.
agreed to call an adult site.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, November 21st, 2018.
Amazon has experienced a so-far unspecified breach.
The online retailer has emailed many customers,
but not all to say that their name and email address
had been exposed due to a technical error.
That email, genuine enough despite its fishy appearance,
doesn't say what happened or where or why or how,
but it reassures the recipients that everything's fine
and there's no need to change passwords.
It's interesting to note that a number of people the recipients that everything's fine and there's no need to change passwords.
It's interesting to note that a number of people suspected the email from Amazon might be a scam,
even though some of the telltale signs of social engineering by email weren't present.
There were no requests to verify your account or click here to reset your password.
Perhaps this is a good sign of growing awareness of the risk of phishing. If so, good. Stay skeptical.
It's also interesting to note that the incident occurred just before what's become, in the U.S. especially, but elsewhere as well,
a traditional long weekend of shopping frenzy.
Risks of fraud are naturally somewhat heightened at this time of year.
How high the rate of fraud is might be seen in some data published by ACI Worldwide,
the online payment provider.
Looking at the track record, based on hundreds of millions of transactions,
ACI thinks we can expect the value of retail fraud attempts to jump by 17%
over what we suppose we must now call Cyber Weekend.
Taking individual fraud attempts,
ACI estimates that the average dollar value of each scam try will be up by 3%,
specifically up to $243 per attempt.
Tomorrow, Thanksgiving Day, seems likely to be worst of the long weekend,
with some 1.8% of all attempted transactions being fraudulent.
The comparable scam rates for Black Friday and Cyber Monday are expected to come in at 1.3%
and 0.93% respectively. We've heard and seen a lot of advice for consumers on staying cyber safe,
but it's worth remembering that in many respects this is an organizational challenge for businesses engaged
in e-commerce. New Data Security, now a MasterCard company, so they think about this a great deal,
reached out to us with a comment, high volume correlates with heightened risk. And according
to New Data's Ryan Wilk, quote, organizations need to be aware of this and make sure that their
account security corresponds to the heightened threats
by engaging with more robust access protocols, such as two-factor authentication and passive biometric solutions.
Retailers compete, of course, but so do the crooks who target them.
In the card-skimming underworld, rival gangs are struggling for mage cart supremacy on an infected e-commerce site.
It's been just over a year since industrial control system security firm Dragos
discovered a malware campaign designed to sabotage the safety shutdowns in a system in the Middle East.
The malware, which is most often referred to as Triton or Trisis,
triggered an emergency shutdown of the Schneider Electric
Triconic system it had aimed to control. This inadvertent shutdown was one of the factors that
led to its discovery. Since then, Schneider Electric has been remarkably transparent about
the event, sharing information with researchers, colleagues, and even competitors. Andrew Kling
is Director of Cyber cybersecurity and system architecture at
Schneider Electric. In August of 2017, we had a plant that went down, meaning the safety system
was tripped and the plant was taken to a safe state. Initially, we investigated this as a plant
trip, a safety situation. Okay, what happened at the plant that would cause this?
Fairly quickly, though, we recognized that it couldn't be explained by normal process and process control.
And it caused us to look a little deeper.
And, in fact, we recognized that this was a cybersecurity incident.
So what were some of the lessons learned?
What were some of the take-homes having been through this?
So for me personally, I am in R&D. I run an SDL, a secure development lifecycle, for an organization that's very large.
We're a thousand engineers spread over multiple continents around the world. we had always taken an approach of identifying in our SDL, identifying vulnerabilities,
ranking those vulnerabilities using the common vulnerability scoring system,
and addressing the most severe vulnerabilities and moving down that list, working through our
backlog of vulnerabilities so that we address the most severe. The lesson learned that I personally
took out of this attack was attackers don't start at the top of the list.
They'll start with wherever they have their tradecraft and their preparedness.
And so vulnerabilities that existed fairly low down on that list, down in the CVSSs of threes, fours, and fives, that's where they were attacking.
Those were some of the techniques that they were using. And so the lesson learned was you can't only look at sort of a top-down, most severe to least severe
approach, but you actually have to look at the tradecraft that's being used. You have to understand
the advanced persistent threats out there, these threat groups that are out there, and the techniques
that they're using so that you can devise your defenses not only in this top-down approach,
but also in a very pragmatic
approach that looks at the techniques that could be used against you. So is this a matter of
monitoring incoming feeds of threat intelligence to know, to, I guess, align the vulnerabilities
with what's actually going on out there in the real world? Yes, exactly. It not only entails you having a program of
understanding vulnerabilities and the evolving nature of vulnerability. Somebody discovers a
new zero-day in an operating system or in a library. We all hear about these things all the
time, but also understanding where these vulnerabilities are being exploited. And it's
that exploit, those exploits that. And it's that exploits,
those exploits that require the threat intelligence that you mentioned, that require that you have a
continuous feed. And it's not enough just to have the feed. It's not enough just to have a keyword
in those feeds that you're triggering on, but you have to look at them and actually understand
the nature of what's going on. And yes, this ties into motivation. It ties into geopolitical nature,
ties into what would motivate an attacker to attack your customers and your industries and
your verticals. It takes time to understand what those motivations might be so that you know how
to filter through this threat of intelligence to find what actually matters to you most.
You know, it's my impression that particularly in the industrial control system space, there is
a strong sense of community and a lot of sharing that goes on between organizations, between
researchers.
First of all, is that actually the case in your experience?
And how does an event like this make its way through the community?
You know, that's a great question.
Within days of this incident becoming public, I was on the phone with my competitors.
I have colleagues that I know in other competitive businesses through standards committees.
And like you said, it's a close community.
I was briefing them.
Very point blank, I was briefing them on what we knew about the attack, how the tradecraft looked like.
It definitely was attacking our product, but could be applied to any kind of safety product.
And we were there to help them learn as much as anybody and continue to stand that posture, to stand that vision of trying to bring this collaboration.
of trying to bring this collaboration.
This is an industry call to action,
and we firmly believe in that,
and we are putting our efforts behind that.
If the next one comes and I am ready,
will I know it?
Will I know that the attack happened and it failed?
It's entirely possible that the attack happens,
and we completely thwart the attack, and there's never any evidence that the attack happened.
So it's very difficult to say. We need to work with everybody. This collaboration
has to go horizontal through the industry, meaning we all have to work with each other.
And then we also have to think about some of that vertical collaboration.
How do we work with the government agencies around the world? This has been a real eye-opener here
where we identify that there very much are silos between countries when it comes to some of this.
And yes, some sharing goes on.
Much of that is probably hidden from somebody like myself down here at an OEM level.
But we very much can see vertical silos built in how we share.
built in and how we share. And so it's incumbent upon a vendor like myself and OEM like myself to find those silos and to communicate up through them to the government agencies that need to know.
But it's also important that we start to break down some of these barriers so that there is a
better way to collaborate on incidents like this. And it's collaboration that's going to help us
improve our security posture. That's Andy Kling from Schneider Electric.
You can read his article, One Year After Triton, Building Ongoing Industry-Wide Cyber Resilience.
That's on the Schneider Electric website.
Threat intelligence firm Recorded Future says it's cleared up the mystery of Tessa88, the hitherto unidentified cybercriminal,
who in 2016 sold MySpace, Badoo, LinkedIn, Kip, Rambler, VKontakte, Mobanga, and Twitter databases.
The security firm has concluded that Tessa88 is one Maxim Vladimirovich Donakov of Penza, Russia.
Tessa88 claimed to be a broker or middleman as opposed to a hacker.
Mr. Donikov is as far as known still at large,
but there has recently been an indictment and extradition to the U.S.
of another hood involved in the MySpace caper.
Espionage in cyberspace continues at its customary tempo and customary actors.
Australia, however, is thought to be seeing an increase in the attention being paid to its corporate intellectual property by China's Ministry of State Security,
and observers continue mulling Cozy Bear's virtuoso return to fishing for access.
Those of you in the furry community, you know who you are. But a breach in the Hightail
Hall suggests that about half a million of you will eventually be known to everyone else as well.
The BBC and friend of this show, Graham Cluley, seem well informed on the incident.
You can safely leave us out of it. Remember to look for a redesigned daily news briefing email shortly
after the Thanksgiving holiday. It's redesigned to avoid falling into spam traps or becoming
inadvertently enmeshed in the array of anti-phishing measures increasingly deployed.
We hope you'll find the new format more user-friendly. We'll announce the date as the
rollout approaches. As always, thanks for subscribing and reading. That's one of the many things we at the Cyber Wire are thankful for.
And remember, if you don't subscribe yet,
why not sign up for the always-free daily delivery this Cyber Weekend?
We are, of course, observing Thanksgiving this week,
so there will be no daily news briefing, daily podcast,
or hacking humans on Thursday or Friday.
There will also be no Research Saturday or week that was this Saturday.
Everything returns to normal next week.
In the meantime, enjoy the holiday and we'll see you Monday.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer challenges
faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your
executives and their families at home. Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore.
He is the Vice President of Engineering and Cybersecurity at Webroot.
David, welcome back.
We wanted to go through and touch on some issues with open source code,
kind of walk through what some of the best practices are,
some of the good things and bad things when it comes to using it on your projects.
What can you share with us?
Okay, first of all, great to be back, David.
And you're right, you know, open source,
I think a lot of folks are getting a lot more understanding about licensing and things like that. And that's really where
we're going to focus. I should start out by saying I am not a lawyer. Do not take advice from me
thinking that's in some way going to protect you. But the whole point here about talking about open
source is really just to raise that consciousness of considerations you need to
take. So what are we talking about? I'm an engineer. Everybody out there, you know, that's
developing software. You know, we all like to put on our pirate hats and surf the internet and look
for something that prevents us from having to write code from scratch. And a lot of times you
find really well professionally made products for free, but they are under different open source licenses.
We want to use those in products that we want to develop and then potentially sell.
the time as a developer, and a lot of startups don't want to take this time, and I get it because I've been there, to understand the implications of building a solution around the products of
different open source licenses. And I understand that there's this sort of fundamental tension
because I think there's this perspective that, well, anything open source is the upsides that
it's going to have a lot of eyes on it. But the downside is no one's really being paid to take that deeper look at it.
Well, that's now that's true.
That is one thing where I do agree that no one is taking that deep dive looking at the
code or their vulnerabilities in there from a securities perspective.
And I understand that.
And there are concerns there.
And when we look at open source here, we want to make sure
we've done a good vetting of whatever open source we may use. But the flip side is, and this is
really for people building solutions, building products. If you take open source with a certain
type of license and you build a product around that open source, your source code and your product is also there
then required to be open source. Meaning any code you write that is attached to certain open source
licenses is by definition now open source as well. And you may be forced to give away your
intellectual property. And that's really the concern I have for a lot of
folks with a startup or, you know, trying to get off the ground with something. You really do need
to be aware of that. So you could be running at maximum velocity trying to ship this product.
And in doing so, you add some open source code. And then months later, it turns out that you have
to reveal your code because you didn't take the time to
read through the open source agreement. That is it in a nutshell. And David, we have spent here at
WebRoot many, many, many, many person hours getting through, you know, source code of different
licenses and making sure we're, we've addressed that because the open source community
is really starting to pay attention to it. And I don't blame them because there's a lot of people
who spend a lot of time writing really good code that's open source that they put out there
for free for us to use. And they've done it out of the goodness of their heart.
And it's not necessarily right that someone just take that and
monetize it. So I agree with the community and the way they do it. I'm more just trying to alert
people, you know, be aware that you may be on the hook for letting your intellectual property out
there. It's good words of wisdom. David DeFore, thanks for joining us. Hey, great being here,
David. Have a great day. cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time
and keep you informed.
Listen for us
on your Alexa smart speaker, too.
The CyberWire podcast
is proudly produced in Maryland
out of the startup studios
of DataTribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing CyberWire team
is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.