CyberWeekly #6 Whose fault is a breach anyway?
Welcome to CyberWeekly, a weekly roundup of news, articles, long form blog posts and various other miscellania that interests your author, Michael Brunton-Spall.
Feel free to forward this on to people you think might be interested. If someone forwarded this to you, then you can subscribe to your own copy at Cyberweekly
If this is the first letter you've received, you can browse the Cyberweekly archive online.
Replies to this email come straight to me, so just hit reply to send me feedback, comments or links or tweet it to me @bruntonspall.
This week saw an interesting breach of the Ticketmaster payment processing system. A third party, Monzo, noticed the breach months before Ticketmaster were able to confirm it. Ticketmaster claim it wasn't their breach, but one of their suppliers, the supplier admits being hacked but claims it wasn't their responsibility as they didn't recommend putting the javascript onto the payment processing pages.
As the complexity of web applications and technology estates grows, it's going to become harder and harder to work out the impact of a breach, and to determine who is responsible for keeping the users data safe. The world we live in is complex and difficult, and nothing will ever be clear and simple about this stuff.
In newsletter news, a few people haven't got some of the more recent editions. I contacted TinyLetter and the best they could recommend was to add cyberweekly@brunton-spall.co.uk to your address book which should whitelist it from spam filters.
Anyway, enjoy this weeks reading and analysis
Breaches
Monzo – Protecting customers from the Ticketmaster breach: Monzo's story
"By the next week, another nine cards had been used fraudulently and all of them had been used to make Ticketmaster transactions. One of those cards had been previously used for an attempted transaction at Ticketmaster, but the expiry date had been typed incorrectly so the transaction had failed. That same (incorrect) expiry date was then used in an attempted fraudulent transaction on the Monday, providing further evidence that Ticketmaster was the source of the breach."
This is a great bit of sleuthing by the Monzo security team. Do you think you could do this level of introspection in your secops/fraud/siem tool, and if not why not?
Inbenta and the Ticketmaster Data Breach - Inbenta
"The attacker(s) located, modified, and used this script to extract the payment information of Ticketmaster customers processed between February and June 2018"
How the attack was able to modify a script held on a server is not clear here. The separation of responsibilities between the organisations here is very blurry and grey and it was obviously not clearly identified
JavaScript PCI nightmare: Ticketmaster, Inbenta and the canary in the coal mine
"I’ll give you a spoiler: the risk is very real — this isn’t the first time this has happened, somebody who works for PCI post breach assessment told me that over 75% of all web store breaches they assessed at large enterprises happened due to this reason, a massive increase."
This is a mess of 'PCI as a standard' not keeping up with modern web practices, and as Kevin points out, the canary in the coalmine for supply chain infections in Javascript. Adding javascript libraries to your front end is common and the security implications are not generally well understood by developers. Backend databases are thoroughly covered by security and compliance teams, but it's rare to meet a full stack security assurance specialist who understands browsers and javascript and HTML instead of networks and firewalls.
Marketing Firm Exactis Leaked a Personal Info Database With 340 Million Records | WIRED
"Troia himself spotted the database while using the search tool Shodan, which allows researchers to scan for all manner of internet-connected devices. He says he'd been curious about the security of ElasticSearch, a popular type of database that's designed to be easily queried over the internet using just the command line. So he simply used Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP addresses"
Another breach because the database was on the internet, unprotected. Just because it's not called an SQL Server doesn't mean you don't need to protect it, and ElasticSearch didn't used to have any security by default.
User centered security
Changing our testing requirements for Internet Explorer 8, 9 and 10 - Technology at GDS
"Older versions of Internet Explorer don’t support the latest HTML5 features either. This means they won’t benefit from security features like:
Punycode identification
Cross-Origin Resource Sharing (CORS)
Content Security Policy (CSP)
HTTP Strict Transport Security (HSTS)"
The list of features that modern browsers support is growing over time. Staying with legacy browsers for all uses, just because one old application uses ActiveX or something is increasingly bad for your users.
Friction between security and user experience | Decipher
"Scolding users and organizations for less than stellar "best practices" in access management assumes that users are ignorant (or negligent). In reality, it's the security side of the relationship ignoring how painful it can be. Telling users to turn every security feature on without tackling the friction users have to experience makes security adoption even less likely. We need to look at security as a flow, as a process, and not as a set of unrelated instances or events."
This is so important. Security teams discussing the use of things like multi-factor authenticators need to consider what the friction is on the user, and need to take a realistic assessment of the risk. We shouldn't just add a 2FA on every account we use online, the usability impact is too high right now.
Blockchain
Feds Pose as Cryptocurrency Money Launderer to Bust Alleged Dark Web Dealers - Motherboard
“Posing as a money launderer for Bitcoin seems like a great mechanism to find the dealers: There are so many paths for the dark net dealers to get drugs. There are much fewer paths for them to get cash”
Always follow the money is the rule for investigating fraud and financial crime, but this is a genius move to act as a money laundering middleman for detecting dark market activity. Of course one of the downsides to blockchain currencies is that the transparency of currency movements makes it easier to understand who paid whom for what.
A technical primer on blockchain | Deloitte Insights
“While many challenges may remain, from lack of regulatory and legal frameworks to rapid technology changes, from talent gaps to consortium building, it is important to not underestimate the impact of blockchain. Every transaction platform and fabric that we know today will likely be either improved or replaced by a blockchain-based solution. “
Deloitte are, perhaps unsuprisingly, bullish on Blockchain. It’s coming whether you want it or not. This article does outline Blockchain or distributed ledger solutions quite well, but avoids commenting on any of the downsides. It’s worth being aware of Blockchain technologies so that when we start seeing Blockchain powered security solutions you can tell the snake oil from the real opportunities.
Agile
Revenge of the PMO | Silicon Valley Product Group
“I can’t imagine any of the strong tech product companies I know choosing to move to SAFe, and if for some reason they did, I’m pretty certain their top talent would leave.”
Strong words from Marty Cagan on the Scaled Agile Framework. This is my experience as well, organisations trying to do agile at scale miss that self empowered teams who can self direct is the entire point of agile. Security people often seem to be scared of this as well, and I suspect for the same reason, which is that over the last decade, they have not demonstrated how they add value to the business and so are being shut out. Interesting parallels and some food for thought here.
Agile Makes No Sense – Hacker Noon
“Astute observers quickly realize that agility on the team level is but one part of the puzzle. Even when Agile on the team-level makes sense, you need that other part to make sense. The rest of the org was probably the blocker in the first place.”
If we assume for a second that Cybersecurity reform is lagging around 10 years behind agile reform (which is my rough estimate and possibly generous), then articles like this are showing what we might be learning in the next 5 years in Cybersecurity. This final phrase is key to me, even if we get our own house in order, the chances are the rest of the organisation wouldn't know what to do with a high performing security team even if it did exist.
Other
Visa's response to parliament about the recent outage
"Given that consumers may have access to another payment brand's credit or debit card, cash, or Faster Payments, many more purchases are likely to have been completed. For context, we estimate that 40 percent of debit cardholders in the UK also carry a credit card from MasterCard or American Express."
I suspect that only the wealthiest 40% of customers have access to a second card in this instance. It's also worth noting that although the failure rate was 35% for the first 10 minutes, but that caused a reputational damage, resulting in stores saying "it's not working" to customers and not even trying after that. It's incredibly hard to measure that kind of impact, because if people didn't try, we don't know how many of them there were!
AWS Privilege Escalation – Methods and Mitigation
"Cloud privilege escalation and IAM permission misconfigurations have been discussed in the past, but most posts and tools only offer ‘best practices’ and not context on what’s actually exploitable. By documenting specific combinations of weak permissions that could lead to compromise, we aim to help highlight these risks and bring awareness to ways API permissions can be abused."
As I said a few weeks ago, one of the big issues with the increasing complexity of cloud environments is the unexpected interactions between different sets of permissions. This is a good example of highlighting the use of certain permissions and working out how someone could exploit them.
Thread by @tastapod: What do I mean by “the best programmer I know”?
This thread on Twitter, unrolled by the lovely threadreaderapp makes some great points. Dan is one of my inspirations and agile heros and one of the best minds in software development I know so I take his words seriously. I think it’s really interesting how many of the skills the “best developer” uses that aren’t taught in computing degrees or prioritised for junior developer programs. Business understanding, interacting with people, user research, empathy. How much better would we be as a profession if we prioritised teaching and valuing these so called soft skills?
That's all for this week. See you next week.
Michael