Month: August 2019

The PCI (Payment Card Industry) Security Council weighed in recently on the Magecart skimming threat–you can read a summary of it over at Dark Reading. From the PCI bulletin, here are some best practices:

What are some DETECTION best practices?

• Use of vulnerability security assessment tools to test web applications for vulnerabilities
• Use of file-integrity monitoring or change-detection software
• Performing internal and external network vulnerability scans
• Performing period penetration testing to identify security weaknesses

What are some PREVENTION best practices?

• Implement malware protection and keep up to date
• Apply security patches for all software
• Restrict access to only what is absolutely needed and deny all other access by default 
• Use strong authentication for all access to system components

Make sure your business is keeping this on its radar–especially if you’re processing payments online.

Overall, my Black Hat experience was a good one.  Coming away from it, I feel like I learned a lot–from new vocabulary to new ideas.  It also gave me a better appreciation for how big of an issue cybersecurity really is. It is almost overwhelming how many threats exist in the cybersecurity space–from deep fakes to social engineering to misinformation to all out war. 

I think that one of the most important things I learned from Black Hat, and which is at the root of many problems, is the importance of communication about cyber issues. The industry (as represented by the speakers at Black Hat) is well aware that cyber security is coming into its own. They know that it is beginning to be seen as a legitimate concern for business and that they have the attention of people in the C-Suite. Yet, there is still a major communication gap. From my perspective at Black Hat, I had a hard time understanding everything presenters were saying and I went into it with both an interest in what they were saying and a desire to understand. I hate to rely on stereotypes, but a lot of the presenters and attendees at Black Hat were your stereotypical tech types. They are not always the most articulate and are often more adept at expressing themselves in code than they are in words. This means there is a lot of work to be done with regard to building bridges and maintaining existing bridges.

Walking through the Business Hall full of booths from various cyber security companies, the communication issue was even more glaring.  While I saw the names of plenty of cybersecurity companies that I recognized like Fireeye, RiskIQ, Blackberry, and McAfee, I also came across a lot of companies that I did not recognize. As I looked at their booths, looking for any details about what they did, I saw a lot of the same, vague, esoteric, industry-specific phrases that do not really tell you what they do.  To borrow a phrase from Kevin Beaumont (@Gossithedog), the booths were full of “content free buzzwords.” To be fair, for the most part, the people in the booths were able to explain to me what they did in a way that I could understand what they do. But, it was still easy to discern the difference between the showroom floor and the briefing room, each with their own idiomatic lexicon.  While the people selling the various products and software are salespeople and not necessarily technologists, they too have work to do in building a bridge to the C-Suite and policy makers.

It is no wonder I saw potential communication issues when people in the industry are literally all over the map dealing with different issues, languages, threats, and technologies. Each one of them has their own priorities that do not always align with those of everyone around them.  That creates a lot of opportunities for conflicts and a need for intermediaries who can understand both sides of technology and policy. The good news is that I got an overall impression of optimism out of the conference. There was a sense of community and a feeling that they are doing something big for the world–and I they are. It will be fun to watch the topic of cybersecurity to continue to develop and change.

To start my second day at Black Hat, I attended a briefing about how a researcher hacked his fiance’s identity through GDPR (General Data Protection Regulation) requests.  I thought this was fascinating and especially relevant to my practice because of the upcoming CCPA (California Consumer Privacy Act). Both the GDPR and CCPA are privacy laws that are going to greatly impact business and cybersecurity now and in the coming years.  After he experienced a lengthy delay on a European budget airline, the speaker and his fiance talked about how they could get back at the airline by making a GDPR request and wasting their time. While discussing it, they decided he should turn it into a social engineering hacking experience.  The results were interesting and show how easily the GDPR can be exploited. He was able to get a considerable amount of information from various companies using information he could easily find about his fiance on the web.  

The next speaker was Bruce Shneier who writes the Schneier on Security blog.  He talked about the need for more people doing what he does as a “public interest technologist.”  One of the major points he started off with was that there is a communication barrier between technologists and policy makers.  To quote him, “Almost no policy makers understand the tech.” He said this dates back to the early days of computers in the 1960s and has persisted through today. He elaborated that policy makers need to have someone on their side with a technology background to help them understand.  Right now, technology has greater power than policy makers–for example, if Google makes a censorship decision, it will have an almost immediate impact and is more effective than law. The same is not true for government which takes ages to pass a law that is no longer relevant by the time it is enacted.  He compared public-interest technology to public interest law, suggesting that just as the latter didn’t really exist 50 years ago, there is a path for making this reality.  

Another briefing I attended dealt with how some researchers hacked BMW vehicles and how BMW went about responding to the breach.  One interesting point from this was that the researchers presented their findings based on 4 car models. The BMW response team had to verify and address the threat in those four as well as in the hundreds of different iterations of those models.  The issue and response varied based on where the cars were located, what kind of parts they had, etc. Although they did not go into great detail, it was neat to see a glimpse into real incident response from a corporation with global reach.

Part of my afternoon was spent wandering the business hall trying to talk about Magecart.  Magecart was the topic of an article I did earlier this year for Dark Reading.  Throughout Black Hat I was listening and watching for any mention of Magecart or credit card skimming, but I just was not hearing it.  The only prominent place I even saw the word “Magecart” was on the RiskIQ booth. One of RiskIQ’s researchers (who was unfortunately not at Black Hat) is a leader in the Magecart field.  I asked his colleagues at that booth why I was not hearing more about Magecart. They had no definitive answer. As I asked other people around the expo floor, it seemed few people had even heard of Magecart, let alone knew what it was.  This is concerning to me for the same reason it was concerning to me when I wrote about it: how is it that this hacking practice which has been around for over 5 years now and has stolen more credit card numbers than the Home Depot and Target breaches combined does not have more awareness?  A big part of it could be that many people at Black Hat are just focused on other things. Another possibility is that it is not as big of a deal as I perceive it to be. Either way, I still believe it is a legitimate concern about which online retailers should be very wary.

The second to last session I attended talked about how misinformation is used and was called “Hacking Ten Million Useful Idiots: Online Propaganda as a Socio-Technical Security Project.”  This focused on how easy it is to use misinformation to achieve certain desired or undesired outcomes. There were several comparisons to the Soviet propaganda machine. This is obviously a big deal these days as a big part of incident response is public relations.

The last session of the day was one of my favorites.  It was called Lessons and Lulz: The 5th Annual Black Hat NOC report.  It was a presentation by the guys who run the NOC (Network Operations Center) at Black Hat.  They talked about how they created the NOC, what kind of architecture they used, and then they told us some of the funny things they found in observing Black Hat traffic.  This was fascinating to me given my initial concern about device security at Black Hat and my observation that many of the security professionals at the conference were not practicing what they preach.  

Prior to the two days of briefing I attended, Black Hat had some sessions where people do hands on training with computers and hacking.  Apparently during one of the trainings, a student decided to try and infiltrate and exploit a law enforcement website. The NOC caught this and quickly made their way to the classroom to politely ask the hacker to not do that.  They bring all of their own equipment in for Black Hat (provided by business partners) and set it up so that the only network infrastructure they were using that belonged to Mandalay Bay was the wires in the walls (on account that they are control freaks).  Funny enough, the only real network problem they had during Black Hat ended up being due to one of the wires in the wall–literally the only things that were not completely within their control.  

There was a public conference wifi at Black Hat.  I never used it, but apparently many did and the NOC monitored it and said that 70% of traffic on it was encrypted.  (They mentioned that at Black Hat Asia, 90% of traffic is encrypted. When they asked someone why that was, he said it was because they implicitly do not trust their government.)  Of the unencrypted traffic, they found some personal information being transmitted in clear text. For example, they found an email to one attendee from Southwest Airlines and pointed out that with her last name and the confirmation number that was not encrypted, they could have changed her flight.  They also found one guy who was transmitting photos of financial documents like his mortgage statement to get his freshman college student some financial aid. When they talked to him about it, he thought he was logged into a VPN and protected. While his VPN showed that it was connected, it turns out it was not and his data was exposed.  These were very real reminders about how easily our information can be snatched up. The last thing the NOC guys disclosed was about the surprising amount of traffic going to porn sites on the conference wifi. They noted that one guy was visiting a porn site with very long videos with no ads whatsoever on the site–with the reason for no ads being that the site was displaying the video, but using the user’s computer to mine cryptocurrency in the background. 

I’ll wrap up my thoughts about Black Hat in my next post.

I’m not going to write about everything I did during my Black Hat experience, but I will try and at least mention most of the sessions. It started off with a mildly interesting keynote address.  Then I went to a 25-minute briefing called “Detecting Deep Fakes with Mice.” (Briefings vary between 25 and 50 minute sessions.) It talked about how much time and processing goes into making a deep fake puppet of someone (like a politician–upwards of 17 hours of video footage was needed to make a deep fake of Obama). They also talked about how they were using mice that could distinguish sounds to detect when a human sounding voice was fake by training them to listen for certain characteristics. 

The next briefing was a 50-minute presentation called “The Most Secure Browser? Pwning Chrome from 2016 to 2019.”  As a lawyer, I chose this because I use Chrome on almost a daily basis and I thought it would be neat to get an idea of some of its vulnerability.  While I understood the words coming out of the presenter’s mouth, it was like listening to a foreign language because I had no clue what they were talking about.  The majority of the slides in the presentation were lines of code. I made a note to myself going forward to try and avoid the ones that looked they were going to mostly in code.

Despite the hit and miss nature of the three morning sessions, things picked up for me in the afternoon when I attended some briefings that were more up my alley.  The first was called “Cyber Insurance 101 for CISOs.” The presenter was a cyber insurance broker who described what some cyber insurance policies offer these days.  He specifically mentioned that they provide their insureds with a breach coach and legal counsel to help guide them through incidents. It was nice to hear them mention some of the roles that I can fill when these incidents occur.

After that I attended a briefing on Mitre ATT&CK.  While I was not familiar with it, I chose it because it seemed to deal with assessing risk and, as I learned, it turns out it does. Mitre ATT&CK is an online database full of different hackers/organizations with their know techniques, tactics, and practices.  Following that I was back in another briefing with a senior vice president over underwriting at Chubb talking about how insurance and cyber security interact.  It was great to hear about what an underwriter looks at when they decide whether to take the risk and issue a cyber policy. They basically do a high level risk assessment and have other subject matter experts to take a deep dive into the analysis.

Finally, I attended a briefing that dealt with an exploit of the Trezor hardware wallet for cryptocurrency.  This was of particular interest since I own this product. This researcher found a way to using electromagnetism to hack the device without altering the physical appearance of it.  This would allow someone to access the cryptocurrency stored on the device and even get the required seed words without the owner knowing they had been breached. The good thing about this (and most of the breaches/exploits discussed at Black Hat) is that they already told the company that makes Trezor and the exploit has been successfully patched.  

Last week I had the opportunity to attend Black Hat USA 2019. I was familiar with Black Hat before last week, however, I did not know much about it other than it was a hacker conference in Las Vegas and that, when it happened, there were usually a lot of hacking incidents in and around the Strip.  So when I found out that I would be attending Black Hat 2019, I was excited and intrigued by the opportunity, but also a little apprehensive. What was I getting myself into? Am I going to get hacked? Should I bring my phone?  Do I leave it powered off? Am I going to understand anything they talk about? 

Before going I decided to address my concerns about attending by researching various tips and tricks.  I read a lot of pieces suggesting that you get a burner phone and leave all of your personal electronics at home.  Others suggested that you leave your devices in airplane mode unless absolutely necessary to connect. Ultimately, I ended up deciding that the safest thing for me would be to leave my phone powered off at home and put my watch in airplane mode.  And so that I would not be left without a connection to the outside world, I would help test my firm’s cybersecurity by bringing my work phone. I wouldn’t connect to any public wifi and I would turn off bluetooth, but I would still use the phone to access the Black Hat app and to check Twitter throughout the day.  Only time will tell if I got hacked, but once I was there I was not quite as worried. I saw numerous people exhibiting much riskier behavior than i was doing. And as far as I can tell, I survived unscathed. I think that the burner option is a little much for most people, but it may appropriate for your situation. You will have to make that decision.

My next few posts will be about the briefings I attended and what I learned at Black Hat. Stay tuned!

Earlier this week an indictment was unsealed that revealed details about how AT&T employees were bribed to install malware and unlock phones in multiple incidents over a five-year period. You can read more details at Forbes. The big takeaway from this is a reminder that your company’s cybersecurity relies on your people. If they’re not on board with protecting your data, you are at risk. In this case, employees were bribed with large amounts of money to install malware that gave hackers access to AT&T’s system and employee passwords, etc. We may never know if AT&T could have prevented this, but in a large company with a lot of employees, it seems unlikely. That doesn’t mean that small to medium sized businesses don’t face this risk as well. The fact of the matter is that you need employees you can trust. Not only that–they need to be educated on best practices to avoid unwittingly assisting hackers via phishing and social engineering.

Clark County School District, the nation’s fifth largest school district covering Las Vegas and surrounding areas, announced a “vendor data security incident” last night. The data breach involved a vendor called Pearson Clinical Assessment. CCSD provided no details about how the incident happened, but claimed that it affected over 500,000 students by exposing their names and some birthdates. Mashable reports that Pearson PLC learned of the breach in March and believes the breach to have affected 13,000 schools and universities using its AIMSweb 1.0 system. According to the Wall Street Journal, the data was not misused and does not include social security numbers or credit card information. Despite that, Pearson is offering complimentary credit monitoring services to affected students. Since only time will tell the true extent of the breach, it is a good idea to take advantage of the credit monitoring service if you or your kids were affected. If you are interested in learning more about this option, please call 866-883-3309 or email aimsweb1request@pearson.com.