CafePress: Just 23 Million Customer Details May Have Slipped Away

August 6, 2019

I read “CafePress Hacked, 23M Accounts Compromised. Is Yours One Of Them?” Several years ago I participated in a meeting at which a senior officer of CafePress was in the group. The topic was a conference at which I was going to deliver a lecture about cyber security. I recall that the quite confident CafePress C suite executive pointed out to me that the firm had first rate security. Interesting, right?

The write up in the capitalist tool said:

According to that HIBP notification, the breach itself took place on Feb 20 and compromised a total of 23,205,290 accounts. The data was provided to Troy Hunt at HIBP from a source attributed as JimScott.Sec@protonmail.com.

I thought that an outfit with first rate security would not fall to a bad actor. I also assumed that the company would have reported the issue to customers promptly. It seems as though the breach took placed more than five months ago. (February 2019 and today is August 5, 2019.)

What’s DarkCyber’s take on this?

  1. The attitude of a CafePress executive makes clear that confidence and arrogance are poor substitutes for knowledge.
  2. The company looks like it needs a security and management health check.
  3. A failure to act more quickly suggests significant governance issues.

How about a T shirt with the CafePress logo and the phrase “First Rate Security” printed on the front?

Stephen E Arnold, August 6, 2019

 

 

Capital One, Amazon, Cats, and the Common Infrastructure Play

July 31, 2019

I read “Hacking Suspect Acted Oddly Online.” (Note: the online story is paywalled by Rupert Murdoch. You may  be able to get a peek at the dead tree version of this story in the Wall Street Journal for July 31, 2019.) Yep, Internet cat angle, self incrimination, and public content dissemination. That’s a plot hook which may make a great Lifetime or Netflix program. Amazon is likely to pass on funding the film version of this now familiar story.

Here’s the plot:

There’s the distraught financial institution, in this case, the lovable Capital One. This is the outfit known for “what’s in your pocket”? Good question. The financial outfit teamed up with Amazon in 2015, and according to the “real news” outfit:

In 2015, Capital One Chief Information Officer Rob Alexander said, “The financial services industry attracts some of the worst cyber criminals. So we worked closely with the Amazon team to develop a security model, which we believe enables us to operate more securely in the public cloud than we can even in our own data centers.”

That sounds darned good, but data affecting about 100 million people was breached. That number has not been verified to my satisfaction, and DarkCyber awaits additional data. But 100 million is a good enough number for the story.

Next we have a protagonist with some employment history at Amazon. Remember that this is the cloud service which was in the chain of data compromise. But — and this is important — Amazon was not at fault. The security problem was a is configured bit of “infrastructure.” Plus, the infrastructure which was the point of weakness is “common to both cloud and on premises data center environments.”

The story ends with a suspect. If the program becomes a mini series, we will follow the protagonist with empathy for cats through a trial, and perhaps a variation on the story weaving of “Orange Is the New Black.”

What’s missing from the analysis in the “real news” outlets? Here in Harrod’s Creek, Kentucky, we think of Amazon as an outfit with nifty white Mercedes Benz vans and fast moving van drivers.

But a couple of the pundits lounging in the convenience story / tavern floated some ideas:

  1. Why is Amazon not providing a system to address misconfiguration? It seems that 100 million people are now aware of this dropped ball.
  2. Why is an Amazon person, presumably with Amazon expertise, behaving in a manner that appears problematic? If the person was hired, what’s the flaw in the Amazon hiring process? If the person was terminated for a germane reason, why was the person not given appropriate “support” to make the transition from Amazonian to a person with unusual online activities? How does Amazon prevent information from being used by a former employee? What can be improved? Are there other former Amazon employees who are able to behave in an allegedly problematic way?
  3. Why is the problem “common” to use Capital One’s alleged word quoted in the WSJ story? There are dozens upon dozens of firms which are marketing themselves as cyber safeguard providers. Are these services used by Amazon, or is Amazon relying on home grown solutions. There are indeed Amazon’s own security tools. But are these findable, usable, reliable, and efficacious? Security may be lost in the thicket of proliferating Amazon products, services, and features. In effect, is it possible that Amazon is not doing enough to prevent such security lapses associated closely with its cloud solutions.

Stepping back, let’s think about this incident in a cinematic way:

  1. A giant company offering services which are so complex that problems are likely to result from component interactions, blundering customers, and former employees with a behavior quirk.
  2. A financial services firm confident of its technical competence. (Note that this financial firm with a previous compliance allegation which seemed to pivot on money laundering and ended with a $100 million fine. See “Compliance Weaknesses Cost Capital One $100M”, October 23, 2018. You will have to pay to view this allegedly accurate write up.
  3. A protagonist who seemed to send up distress flags via online communication channels.

What’s the big story?

Maybe there’s a “heart of darkness” with regard to security within the Amazon jungle.

To which jungle was Joseph Conrad, author of the “Heart of Darkness” referring?

“Nowhere did we stop long enough to get a particularized impression, but the general sense of vague and oppressive wonder grew upon me. It was like a weary pilgrimage amongst hints for nightmares.”

Psychological, digital, or financial? With the JEDI contract award fast approaching, will the procurement officials interpret the Capital One breach as a glimpse of the future. Maybe Oracle is correct in its view of Amazon?

Stephen E Arnold, July 31, 2019

Cyber Threats from Semi Insiders

July 24, 2019

I was thrilled to learn that the New York Times (which quoted me on Sunday, July 21, 2019) concluded that I had no work for the last 40 years. Well, I least I don’t rely on a SNAP card, sleep under the overpass, and hold a sign which says, “Will analyze data for food.”

What did I do in those four decades which the NYT fact checkers couldn’t find? I worked as a rental. Yep, a contractor. A semi insider.

I did what I was paid to do, delivered by now routine “This is what I think, not what you want me to think” reports, and muddled forward.

For some outfits for which I worked, I was a regular. I did projects for years, decades even. For some government agencies, it may seem as if I never left because my son is working on the projects now.

I suppose the phrase “semi insider” explains this relationship. One is “around” long enough that people assume you are part of the furniture or the break room.

I thought of this “semi insider” phrase when I read “Siemens Contractor Pleads Guilty to Planting Logic Bomb in Company Spreadsheets.” The guts of the write up strikes me as:

But while Tinley’s files worked for years, they started malfunctioning around 2014. According to court documents, Tinley planted so-called “logic bombs” that would trigger after a certain date, and crash the files. Every time the scripts would crash, Siemens would call Tinley, who’d fix the files for a fee.

So the idea was sell more work.

My view is that this practice is more widespread than may be recognized.

How does one deal with a situation in which a company’s management and regular “professionals” are so disconnected from the semi insiders’ work that no one knows there’s a scheme afoot?

How does a zip zip zip modern outfit hire individuals who can be trusted, often over a span of years?

How does an organization verify that its semi insiders have not planted a bug, malware, or some other malicious “thing” in a system?

The answer is that today’s cyber security tools will not be much help. Most organizations lack the expertise and resources to verify that what semi insiders do is a-okay.

There’s a lot of chatter about identifying and tracking insider threats. The story makes clear that semi insiders are a risk as well. Considering that Snowden and others who have acted improperly and outside the bounds of their secrecy and other agreements makes crystal clear:

Semi insider threats are a significant risk.

And as the “expertise” of many technical professionals decreases, the risks just go up.

In short, today’s cyber security solutions, cyber governance methods, and day to day management techniques are ineffective, not addressed by cyber security solutions which are essentially reactive, and not well understood.

Siemens may have gotten the memo. It only took two years to arrive.

Stephen E Arnold, July 23, 2019

NSO: More PR Excitement, Facts, or Bloomberg Style Reporting?

July 20, 2019

I read the Financial Times’ write up about NSO Group. The title is a show stopper: “Israeli Group’s Spyware Offers Keys to Big Tech’s Cloud.” (Note: You may have to pay money to view the orange newspaper’s online “real” news write up.

There’s a diagram:

image

There’s a reminder that NSO is owned by an outfit called “Q Cyber.” There’s information contained in a “pitch document.” There’s a quote from Citizen Lab, a watchdog outfit on cyber intelligence firms and other interesting topics.

What’s missing?

  1. Information from a Q Cyber or NSO professional. A quote or two would be good.
  2. Statements from an entity which has used the method and obtained the desired results; for example, high value intel, a person of interest neutralized, the interruption of an industrialized crime operation, or something similar
  3. Scanned images of documents similar to the Palantir Gotham how to recently exposed by Vice, a zippy new news outfit.

Think about the PR problem the revelations create: NSO gets another whack on the nose.

Think about the upside: Visibility and in the Financial Times no less. (Does NSO need more visibility and semantic connections to Amazon, Apple, or any other “in the barrel” high tech outfit?)

Outfits engaged in cyber intelligence follow some unwritten rules of the road:

First, these outfits are not chatty people. Even at a classified conference where almost everyone knows everyone else, there’s not much in the way of sales tactics associated with used car dealers.

Second, documentation, particularly PowerPoints or PDFs of presentations, are not handed out like chocolate drops for booth attendees who looked semi alert during a run through of a feature or service. Why not whip out a mobile device with a camera and snap some of the slides from the presentation materials or marketing collateral? The graphic is redrawn and quite unlike the diagrams used by NSO type cyber intel outfits. Most trained intelligence professionals are not into “nifty graphics.”

Third, cyber intel companies are not into the media. There are conference organizers who snap at people who once worked as a journalist and made the mistake of telling someone that “before I joined company X, I worked at the ABC newspaper.” Hot stuff New York Times’ stringers are stopped by security guards or police before getting near the actual conference venue. Don’t believe me. Well, try to gate crash the upcoming geo spatial conference in Washington, DC, and let me know how this works out for you.

Fourth, why is NSO acting in a manner so different from the other Israel-influenced cyber intelligence firms? Is Voyager Labs leaking details of its analytic and workflow technology? What about Sixgill’s system for Dark Web content analysis? What’s Webhose.io doing with its content and expanding software suite? What’s Verint, a public company, rolling out next quarter? NSO is behaving differently, and that is an item of interest, worthy of some research, investigation, and analysis.

For the established cyber intel firms like NSO, assertions are not exactly what sells licenses or make BAE Systems, IBM, or Raytheon fear that their licensees will terminate their contracts. How many “customers” for NSO type systems are there? (If you said a couple of hundred, you are getting close to the bull’s eye.) Does publicity sell law enforcement, security, and intelligence systems? Search engine optimization specialists are loco if they think cyber intel firms want to be on the first page of a Google results page.

Consider this series of bound phrases:

Cat’s paw. Bloomberg methods. Buzzfeed and Vice envy. A desire to sell papers. Loss of experienced editors. Journalists who confuse marketing with functioning software?

These are the ideas the DarkCyber team suggested as topics an investigator could explore. Will anyone do this? Unlikely. Too arcane. Too different from what problems multiple systems operating on a global scale present for one method to work. Five Eyes’ partners struggle with WhatsApp and Telegram messages. “Everything” in Amazon or Apple? Really?

Net net: Great assertion. How about something more?

Stephen E Arnold, July 20, 2019

A Partial Look: Data Discovery Service for Anyone

July 18, 2019

F-Secure has made available a Data Discovery Portal. The idea is that a curious person (not anyone on the DarkCyber team but one of our contractors will be beavering away today) can “find out what information you have given to the tech giants over the years.” Pick a social media service — for example, Apple — and this is what you see:

fsecure

A curious person plugs in the Apple ID information and F-Secure obtains and displays the “data.” If one works through the services for which F-Secure offers this data discovery service, the curious user will have provided some interesting data to F-Secure.

Sound like a good idea? You can try it yourself at this F-Secure link.

F-Secure operates from Finland and was founded in 1988.

Do you trust the Finnish anti virus wizards with your user names and passwords to your social media accounts?

Are the data displayed by F-Secure comprehensive? Filtered? Accurate?

Stephen E Arnold, July 18, 2019

Crashing Teslas: No Dark Web Inputs Needed

June 21, 2019

Do you want to interfere with a Tesla’s electronics? You don’t need to prowl the Regular Web for hacking forums. You don’t need to fire up Tor and visit Dark Web sites. A quick search of Bing and Google delivers a link to “Tesla Model 3 Spoofed Off the Highway.” The information in the write up is a summary of an experiment. DarkCyber understands that.

The products and methods disclosed in the write up will make it easier for some vendors of intelligent driver assistant systems to improve their products. The publicity generated by the listing of the off-the-shelf products used in this experiment will benefit the manufacturers. DarkCyber anticipates a spate of high school science fair projects which present the results of potential engineers’ experiments.

We learned in the write up:

Yonatan Zur, Regulus Cyber CEO and Co-Founder, emphasized this goes way beyond Regulus Cyber and Tesla: “We designed a product to protect vehicles from GNSS spoofing because we believe it is a real threat. We have ongoing research regarding this threat as we believe it’s an issue that needs solving. These new semi-autonomous features offered on new cars place drivers at risk and provides us with a dangerous glimpse of our future as passengers in driverless cars. By reporting and sharing incidents such as this we can ensure the autonomous technology will be safe and trustworthy. “

The purpose of the research is to inform people about vulnerabilities and to boost sales of Regulus anti-spoofing technology. The company will provide a curious person with a free research summary — in exchange for an email address.

DarkCyber is not sure whether to thank Regulus for making the vulnerabilities of autonomous technology to hacks and spoofs or whether to suggest the firm a less sensational way to publicize the results of their experiments.

If you own a Tesla or other vehicle with certain types of assist mechanisms, those systems may be vulnerable. Bad actors and frisky high school science club students are likely to do some experimenting.

Will Regulus’ research results have the sales impact the company wants? Will other impacts be observable? Have US government oversight agencies pursued similar research into security and safety issues for smart vehicles?

Tough questions to answer.

Stephen E Arnold, June 21, 2019

Restaurant AI Has A Lot of Security Baggage

June 13, 2019

It might sound harmless, when we hear news of the food industry getting involved in AI to dial in dishes and accommodate our palettes. But if you are a bad guy, that looks a lot different. It looks like a buffet. We learned more about the odd risks that could crop up from such AI use from a recent Venture Beat story, “Ex-Googler Alon Chen’s Tastewise Uses AI to Identify and Predict Food Trends.”

According to the story:

“Using AI to predict food trends and stir up new recipes is nothing new, of course. IBM recently announced that it’s teaming up with McCormick & Company to create new flavors and foods with machine learning. IBM’s Chef Watson, a research project that sought to create new recipes by analyzing the chemical composition of hundreds of different ingredients, produced more than 10,000 novel recipes.”

Believe it or not, security agencies are using the same logic that the above organizations are using to predict eating patterns to predict criminal patterns. However, if you fear this is veering us closer to “Minority Report” status, you are not alone. Many experts are thinking about how to use this technology to fight crime, but still maintain human rights. A tricky proposition.

Patrick Roland, June 13, 2019

LookingGlass Threat Map

June 11, 2019

You may want to check out an interesting approach to marketing as practiced by a cyber intelligence firm. And if you are curious about threats posed by exploits, malware, and other cyber weapons, you will want to examine the LookingGlass Threat Map. The display shows attacks (attempted and successful). If you put your mouse on the map, you can display threats by region. The map is zoomable, so you can obtain information about target of the attack; for example, attacks in Italy. Click on a dot and information about the attack is displayed in a pop up window.

image

The map also displays a moving real time graph of attacks per second. DarkCyber found the scrolling list of attack types particularly interesting. One can see that the Sality variants are one of the more popular attacks at this time (Tuesday, June 11, 2019, 0603 US Eastern time).

The threat map provides graphs as well; for instance:

image

I discuss some of LookingGlass’ capabilities in my Dark Web 2 lectures. For more information about LookingGlass, navigate to the company’s Web site. The Sality exploit exists in variants. The software has been available for many years. It exploits the bad actors’ best friend: Microsoft Windows. After 16 years and numerous variants, one could ask the question, “What’s up with this, Microsoft?”

I won’t ask that question because I address Microsoft’s ball fumbling in the DarkCyber video for June 11, 2019.

Stephen E Arnold, June 11, 2019

About That Internet Traffic to China

June 10, 2019

The Cisco Talos researchers pointed out that a foundation server was under stress. I discussed this on June 4, 2019, in my lecture at the TechnoSecurity & Digital Forensics Conference. The idea of usurping control of lower level Internet services and devices is a wake up call. I noted the rerouting of Internet traffic to China in a number of reports such as this one: “For Two Hours, a Large Chunk of European Mobile Traffic Was Rerouted through China. It Was China Telecom, Again. The Same ISP Accused Last Year of “Hijacking the Vital Internet Backbone of Western Countries.”

According to the story:

The incident occurred because of a BGP route leak at Swiss data center colocation company Safe Host, which accidentally leaked over 70,000 routes from its internal routing table to the Chinese ISP.

My hunch is that the word “leak” which is used in the write up is short hand for hip hopping over more analytic explanations.

First, the BGP or border gateway protocol is one of those plumbing components which have become juicy targets of opportunity. The Internet Servicer Providers get these up and running and then worry only when something goes wrong.

China Telecom, the third largest ISP in China, noted the issue and, according to ZDNet,

re-announced Safe Host’s routes as its own, and by doing so, interposed itself as one of the shortest ways to reach Safe Host’s network and other nearby European telcos and ISPs.

When such issues like this magical “leak” occur, the fixes are applied quickly, often within minutes either by automated scripts or semi automated humans who are monitoring alerts or logs.

This problem took a couple of hours to remedy, and my thought is that one can learn a great deal in that two hour span; for example:

  • Length of time between “leak” and someone noticing
  • Facts about traffic volume, data types, handoff points in the flow, etc.
  • After event consequences; that is, fixes put in place to prevent such “leaks” in the future.

In short, one might gain some operational intelligence. That’s hypothetical, of course. Of course.

Like the attacks on Netnod servers, the goal is to gain access. With that access savvy operators will remain invisible. There’s no reason to let anyone know that a vital component of the increasingly burdened Information Highway is in the hands of bandits riding Mongolian ponies.

Was this a “leak”? Good question.

Stephen E Arnold, June 10, 2019

When Know How Gets Loose: Excitement Ensues

May 23, 2019

Bad actor hackers are pains in the rear, especially when they steal personal information. They are even worse when they steal from the government and use the stolen information for nefarious purposes. From The Trenches World Report explains the how and why about the hackers in that “China Used NSA Cyber weapon To Hack Targets, Symantec Says.”

The NSA developed a hacking tool dubbed “Double Pulsar” that can secretly download malware onto Windows-based PCs. Chinese hackers stole it, put their stamp on it, and used it on unsuspecting victims back in 2016. There was evidence that the altered Black Pulsar paired with another Chinese hacking tool were used in attacks in Belgium and Hong Kong. What is even worse is that the Chinese hacking tool could only hack 32-bit systems, but was revamped to attack 64-bit systems with newer Windows versions.

It is unknown how the alleged Chinese hackers obtained Double Pulsar. The possible theories are that an NSA server with bad security or a NSA employee went rogue. Another idea is that the hackers collected some NSA traffic that contained Double Pulsar..

“Whatever the case may be, the findings underscore the risks of NSA cyber weapons falling into the wrong hands. Double Pulsar, itself, is no longer a secret. In April 2017, a mysterious party called the Shadow Brokers went online and dumped a cache of NSA hacking tools, which included details on Double Pulsar. A month later, the same NSA hacking tools were used to launch Wannacry, a ransomware attack that hit Windows machines across the world.

Who the Shadows Brokers are remains a mystery. But according to Symantec, the Chinese hacking group that gained access to Double Pulsar no longer appears to be active. In Nov. 2017, the US publicly charged three members of the group with hacking crimes and intellectual property theft.”

One more hacking tool is now an open source piece. DarkCyber is not keen on certain types of technology becoming widely available.

Whitney Grace, May 23, 2018

Next Page »

  • Archives

  • Recent Posts

  • Meta