When there’s something that needs our attention, tell us about it, but no bells and whistles for what comes standard. At least that’s what Scott Helme argues when it comes to encryption. Why he believes internet-wide safety shouldn’t come with a green padlock, and what’s already been done to get us there. Also, Google sends out thousands of warning emails to those at risk of being phished by Russian state-backed Sandworm – for the third year in a row. Discover why you should really protect your code signing keys and learn how Macy’s fell victim to a card skimming attack that should have been stopped at the door.
For the third year in a row, Google’s Threat Analysis Group (TAG) has sent out roughly the same number of “you might be phished by a state-sponsored hacking group” emails to thousands of YouTube, Drive and Gmail users in dozens of countries.
For the third year in a row, Russian-backed hackers monikered Sandworm (aka Telebots, Quedagh Group, BE2 APT, Black Energy, and Iridium, among others) have decided to go phishing with credential-baiting emails.
For the third year in a row, people continue to fall for it. So watch out.
In one case, an unfortunate employee opened an indiscreet email (senders have included “Goolge”) and was conned into giving away code signing credentials. With these, Sandworm was able to build a backdoor and float it in a clean app.
Kevin Bocek, Threat Intelligence VP at Venafi, elucidates: “As more and more hackers see the potential of malicious code signing, and ease for misusing keys and certificates, we'll see more of these attacks. We must ensure in the software build process code signing and machine identities are protected.”
As the hacking group capitalizes on credentials, Google has identified individuals within 149 countries that might have drawn the eye of these Russian black hats.
Best advice? Stay alert. Let’s do everything we can to avoid a fourth year.
Scott Helme argues that we shouldn’t alert people when things on the internet are fine, we should alert them when things on the internet are wrong.
That makes sense.
In his address at the SANS and NCSC Cyber Threat conference in London, Scott Helme claimed that encryption should not be the exception, but the rule. "We need it to become so ingrained and embedded into everything that we do that it's boring ... Encryption should be the boring default.”
Comparing it to a car, he said a light only flashes when something is amiss, not when the car is functioning as usual.
And therein lies the problem.
When the internet came about, non-encryption was the usual. As part of a long-waged push to change the narrative, Scott declaims, "The lack of encryption on the web is actually a bug. And what we're doing now isn't adding a new feature for an improvement or a new thing: we're going back and fixing a mistake we made in the beginning."
Several steps have been taken, including the much lauded TLS1.3 update, HTTP to HTTPS and Mozilla’s decided change to DoH (whose full merits are still being debated). The point is that the issue is being recognized, and that the InfoSec community is leading the charge.
Ironically, some of the “encrypt the internet” movement’s most devoted followers are unlikely candidates. As the green padlock has become ubiquitously synonymous with trust, bad actors are quick to take advantage of any favorable lead—purchasing TLS certificates on the Dark Web and registering legitimate, protected domains.
"Cyber criminals started to use HTTPS and their trust scores can be higher than normal websites, they really care about this stuff," commented James Lyne, CTO at SANS Institute.
Hopefully the rest of the web’s users aren’t too far behind.
“All I want for Christmas are the 3 numbers on the back of your card.”
And for many happy hackers this season, that might just happen.
Macy’s, the billion-dollar retailer, suffered one week of blatant card skimming off the POS site they use to enact transactions. Contracting with a third-party (yet unnamed), it appears an unencrypted sales portal is a likely cause for the breach.
According to Charity Wright, cyber threat intelligence advisor with IntSights, a website passing credit card information in 2019 without encryption is asking for trouble.
Two pages of the retailer were infected with card-skimming technology, and the personal data losses included, as is expected, sensitive payment information.
"The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two macys.com pages: the checkout page - if credit card data was entered and "place order" button was hit; and the wallet page - accessed through My Account” wrote the company.
"The threat actors are going after those unencrypted sources for credit card data, stealing them and then selling them on the dark web,” says Wright.
Unfortunately, the worst isn’t over. The long-tail effects may only be beginning, but here are some ways to stay smart.
With all the loose information obtained in the sweep (banking location, CC numbers, personal contact information), unfortunately those targeted may yet be the brunt of more phishing campaigns as the hackers capitalize on the scare. Malicious sites designed to skim more information may maraud as legitimate reconciliation sites from Macy’s or the victim’s bank, and unfortunately the value of the information already out there doesn’t diminish.
For retailers wanting to avoid a similar fate, Monique Becenti, channel and product specialist of SiteLock suggests using SSL certificates, which protects information going from an eCommerce platform to the server. Third party audits and basic encryption of POS systems remain best practices.
Wright hopes Macy’s will become an example to other vendors using third-party POS vendors. She suggested they lead "by saying that in order to work with us or work with our IT infrastructure, you have to follow all of these security protocols."
In either event, encrypting POS traffic, like encrypting internet traffic, should be standard.
Venafi's Jing Xie on the dangers of open source libraries and why the development community is just starting to take notice.