CyberWire Daily - Ticketmaster paycard breach is part of a very large skimmer campaign. Chinese cyberespionage and censorship. Smartphone privacy issues. Data misuse litigation. Affirming the consequent.
Episode Date: July 11, 2018In today's podcast we hear reports that the Ticketmaster breach is the tip of a big software supply chain iceberg. Chinese intelligence services closely interested in Cambodia's elections. iOS crashe...s appear related to code designed to block displays of Taiwan's flag to users in China. Congress wants some answers on smartphone privacy from both Apple and Alphabet. Facebook's wrist is slapped in the UK. Langley Credit Union identity theft case proves not necessarily related to the OPM breach. Johannes Ullrich from SANS and the ISC Podcast on securing DNS. Guest is Ken Spinner from Varonis, cautioning that we not allow the high-profile insider threat cases distract us. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Ticketmaster breach is the tip of a big software supply chain iceberg.
Chinese intelligence services are closely interested in Cambodia's elections.
iOS crashes appear related to code designed to block displays of Taiwan's flag to users
in China.
Congress wants some answers on smartphone privacy from both Apple and Alphabet.
Facebook's wrist is slapped in the UK.
And a Langley Credit Union identity theft case proves not necessarily related to the OPM breach.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, July 11, 2018.
The large Ticketmaster breach disclosed on June 27th was, according to security firm RiskIQ,
just a small part of a much larger criminal card skimming operation.
Magecart, a criminal gang that's been active since at least 2015, is thought responsible.
The entire caper extends to somewhat more than 800 e-commerce sites worldwide.
Magecart works by installing skimmer software into third-party components
and services used by the retail sites.
The Magecart operation is a bit different from the standard kind of skimmer
you might encounter in a checkout line or at a gas pump.
Their skimmers are digital, software insinuated into online commerce sites,
normally through the compromise of some third-party vendor.
RiskIQ describes the skimmer as simple but obfuscated.
The security firm also thinks the criminals are getting smarter in their approach.
Instead of fiddling with individual websites or web pages,
they've found they get a better return if they compromise third parties
who supply scripts to retailers.
The third-party vendors RiskIQ mentions are Inventa,
SociaPlus, PushAssist, and NX Cloud.
The potential for large-scale paycard theft is serious.
RiskIQ's blog says that, quote,
MageCard is an active threat that operates at a scale and breadth
that rivals, or possibly surpasses,
the recent compromises of retail giants such as Home Depot and Target.
Another way of looking at the case, of course, is that it's a supply chain issue.
Supply chains can deliver software as much as they can hardware,
and they're all attractive to operators with bad intentions.
Chinese espionage services are, according to FireEye,
vigorously prospecting Cambodian political, media and government targets
in advance of that country's elections, scheduled for July 29.
Prime Minister Hun Sen is seeking re-election.
He's running without any effective opposition.
The opposing Cambodia National Rescue Party was
dissolved last year, and its leader arrested on suspicion of plotting with the U.S. to overthrow
the government. That arrest is widely regarded as founded on a bogus accusation. Bloomberg quotes
FireEye sources as saying, quote, we expect this activity to provide the Chinese government with
widespread visibility into Cambodian elections and government operations.
The compromises fit the overall MO of Chinese espionage in that they gather up all the information that they can.
Chinese operators are said to be targeting the opposition, human rights groups and media organizations.
They have also extended their activities to government bodies,
including the National Election Commission, the Ministry of the Interior, the Ministry of Foreign Affairs and International Cooperation, the Ministry of Economics and Finance, and the Senate.
It's an instructive case of the extent to which intelligence services will go
to inform themselves concerning matters that aren't in serious doubt.
In another story with a Chinese government angle,
people have reported that some iPhones have been crashing,
entering a denial-of-service condition that Apple patched Monday.
The problem seems related to Apple's willingness to placate China's government
by ensuring that iOS devices in China wouldn't display Taiwan's flag as an emoji option.
Digita security founder Patrick Wardle, who investigated, believes devices crashed because
iOS was coded to treat the Taiwan emoji as an invalid input. Confusion over location and
language settings appears to have triggered the problem. If you are looking toward another
problematic time for Apple users,
wait until October 10th, celebrated in Taiwan as Double Ten Day, the national holiday.
High-profile cases of insider threats like Edward Snowden and Chelsea Manning
attract attention and generate headlines, and justifiably so.
Ken Spinner is VP of Global Field Engineering at Varonis,
and he wonders if we're being distracted and taking our eye off the ball.
It's gotten to the point where people at bars and at restaurants
know the names of Manning and Snowden and Winner and so on,
but they lose sight of all the other things that are happening.
They lose sight of all the other people that are potentially stealing data,
and whether those people are insiders or whether those people are trusted
outsiders or whether those people are potentially consultants and contractors. Now, what do you
think organizations are getting it wrong? I don't think they're focusing enough on insider threats.
And I certainly don't think they're focusing enough on data. If you look at what people are
going after, typically they're going after data and they're going after data that potentially can be mined for specific types of
information, or they might be going after data that they can monetize. So because of that, I think a
lot of organizations are neglecting going after the people who are actually searching for the data
and they're not doing enough behavioral analysis to determine when somebody
is behaving incorrectly or correctly. So let's dig into that in terms of a solution. So we've
got behavioral analysis. Walk us through what you mean by that. I'll give you an example. Typically,
if you have, let's say, a finance person, they're probably going to access similar files every day.
They're probably going to access those files from the same machines
every day. And they're probably going to do it during normal business hours. The technologies
that are out there need to be able to determine what constitutes normal. And the technologies
that are out there also need to be able to determine very quickly what constitutes abnormal.
So if you have a finance person and they're working after hours, and all of a sudden you see that they're coming from a machine that's not their normal machine, you might want to be suspicious of it and you might want to start investigating what was going on with that individual.
really important to the company, you're going to start to potentially start investigating what that data was and why is it so important and why is that individual accessing it during hours that
might not be appropriate from a machine that might not be appropriate. Now, how about encryption and
protecting the data at rest and in transit? How much could that contribute to a solution to this
problem? Oh, it absolutely contributes. Encryption, like every other type
of security technology out there, is very important. But at the same time, encryption only
helps when you have people who are potentially should not have access to that information.
But if you're granting access to somebody or if somebody, you know, as an example,
a person loses their credentials or credentials are stolen, then encryption might not help.
And what I mean by that is the person's already got access to that information,
which means that they've been granted access and they more than likely have the keys to that
particular encrypted file or folder. So they'll be able to access it anyway.
So what you're advocating is really a system that learns the habits of your employees
a system that learns the habits of your employees and then also implements a set of boundaries and can alert when things go outside of those boundaries.
Yeah, that's exactly right. And I'm also looking to get deeper into automation. So when manual
processes break, automation takes control. So what I mean by that is, if you have an individual who grants access
or over-permissive access,
we should have the proper tools in place
to make sure that that's controlled
by some other automated process.
Typically, people don't do a good enough job
making sure that they understand
what type of data they manage,
the criticality of that data for the business,
the criticality of that data for ongoing operations. the criticality of that data for ongoing operations.
And if they do that right and they do behavioral analytics on that data,
they'll be able to manage and secure that data a lot better.
That's Ken Spinner from Varonis.
The U.S. Congress continues to question Google and Apple over user tracking practices.
Apple said it will limit the user data third-party developers can get from Apple devices,
but the House of Representatives Energy and Commerce Committee would like to know why the
developers are allowed access to any data at all. The committee is also interested in what's up with
respect to privacy in the Android ecosystem, especially since reports surfaced recently that
Google has continued to enable data scanning for target marketing.
Facebook also remains under scrutiny. The UK's information commissioner has fined the company £500,000. Observers dismiss this as chicken feed, but the commissioner also called for an ethical
pause in micro-targeted advertising, which could be more consequential if it turns out to be
something more than merely aspirational. Facebook is also facing more litigation. An Australian litigation funder,
IMF Bentham, has opened a class action suit against Facebook for privacy matters pertaining
to the Cambridge Analytica affair. The Pirate Bay is now telling users up front that it intends to
cryptojack their CPUs.
They can like it or lump it, install an ad blocker, or get off their site.
And finally, you may recall the case of Kariva Cross,
who last month copped a guilty plea to having used stolen identification information
to get fraudulent personal and vehicle loans from the Langley Federal Credit Union.
The U.S. Attorney's Office for the Eastern District of Virginia, which prosecuted the
case, issued a press release at the time that explained Ms. Cross got her stolen personal
information from the large data breach the U.S. Office of Personnel Management, OPM,
sustained, or at least discovered and disclosed, back in 2014.
It turns out that this probably isn't true at all.
Ms. Cross didn't necessarily get the personal data she stole from the OPM breach.
The Justice Department corrected itself in a letter to Senator Warner, a Democrat from Virginia.
Instead, what happened seems to be that some of the victims whose data had been used
told investigators that their information had been compromised by the OPM incident.
But that's not surprising since an awful lot of people were affected by that breach,
and since an awful lot of them no doubt live or work in the vicinity of Langley, Virginia.
There's no evidence that Ms. Cross actually used data from the breach in her crimes,
and so justice was premature,
as they put it, in jumping to its conclusion. The episode is a nice illustration of the logical
fallacy of affirming the consequent. If someone's data used in the identity theft were traceable to
the OPM breach, then that person would have been a victim of the OPM breach, right? But it doesn't
follow that any case of identity theft involving a victim of the OPM breach, right? But it doesn't follow that any case of identity theft involving a victim of the OPM breach
is therefore traceable to that OPM breach.
Who in the world knows where Ms. Cross got her data?
Well, presumably she does.
But the inference the press release draws is invalid.
And here all of us were marveling at the investigative work that traced the OPM data
to fraud at the credit union.
Consider this.
If Abraham Lincoln fell off the Empire State Building, then he'd be dead.
Abraham Lincoln is dead.
Therefore, he fell off the Empire State Building.
No, that's the fallacy of affirming the consequent.
Class dismissed.
Eastern District of Virginia.
Calling all sellers. Class dismissed. Eastern to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Johannes Ulrich.
He is from the Internet Storm Center Stormcast, a daily podcast from the SANS Institute.
Johannes, welcome back.
You know, we've been seeing a lot of talk lately about efforts to secure DNS.
What can you share about that? Yes, thanks for having me. DNS, of course, is one of those ancient protocols as far as the internet is concerned. Actually, one of the big success
stories in the ways it survived and really has scaled so far. But one issue we always had with DNS was privacy. Now, initially, the security concerns
with DNS were more around integrity of the data, like DNS spoofing. And DNSSEC, of course,
was invented to prevent this. DNSSEC had a little bit of a rocky start and isn't really used all
that much. But really, the only thing it prevents is someone from spoofing DNS. As an end
user, that tends to be not a huge concern. What you're really more concerned about is privacy.
And some recent efforts really sort of have put more attention to that. For example, DNS over
TLS. You may have heard about Cloudflare setting up their own public DNS resolver 1.1.1.1.
That DNS resolver now, for example, supports DNS over TLS. So if you have, for example,
a home router or on your desktop software that does support DNS over TLS, then you can take advantage of this and your ISP no longer
knows what DNS resolutions you actually perform. Now, from a defensive point of view, this can
also be a problem because DNS has sort of been one of the ways how we're able to inspect some
of this traffic in our networks with more and more traffic moving to HTTPS
and encrypted traffic in general.
DNS was sort of the one opening we had
to really see what sites our users were visiting.
Actually, another sort of little protocol
that starts to take off now is DNS over HTTPS.
DOH, it's sometimes abbreviated as.
And now in your network, everything will go over HTTPS, DOH, it's sometimes abbreviated as. And now in your network, everything will go over HTTPS, including DNS, which, of course, for enterprise and so will make it more difficult to defend.
In your estimation, is that a worthwhile tradeoff?
Well, I think it depends on your sort of threat model and what network you're in. I think for a home user of your traveling and connecting to less than trustworthy networks,
DNS over TLS or DNS over HTTPS
will create protocols. In enterprise networks,
I think you still want to have more control over where users are going,
what they're doing with your systems, and if the data
that you have, and that's also consumer data,
is protected well,
in those cases, I think you would still want
to retain that internal visibility.
But the way you can do it
and still sort of take advantage of something,
privacy is where you essentially configure
your internal clients,
that they connect to your internal resolver.
But then that internal resolver
can still take advantage of protocols
like DNS over TLS or DNS over HTTPS
to preserve the privacy as it leaves your network.
All right. Well, as always, good information.
Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second, Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Thanks for listening.
We'll see you back here tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.