The RiskIQ blog explaining their analysis of the giant BA breach, by scanning public domain information, is excellent and in-depth. Here’s the executive summary, five things you need to know, because several people have been asking me for this.

1) Small custom changes bypassed the usual monitoring and alarms:

…Magecart is so common for us that we get at least hourly alerts for websites getting compromised with their skimmer-code…[yet with BA] we had no hits in our blacklist incidents or suspects because the Magecart actors customized their skimmer in this case.

2) Thus, finding the attack meant looking for a different change, which turned out to be in the baggage claim code:

…we would verify all the unique scripts on the website and only look at them again if their appearance changed in our crawling. Eventually, we recorded a change in one of the scripts. Opening up the crawl, we saw this script was a modified version of the Modernizr JavaScript library, version 2.6.2…

3) Attackers became so familiar with their targeted environment they used several layers of obfuscation down to the infrastructure level:

The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection. We saw proof of this on the domain name baways.com as well as the drop server path. The domain was hosted on 89.47.162.248 which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server

4) Changes to the script were minimal and leveraged existing business logic to fit in, just enough to redirect payment information:

On websites, mouseup and touchend, are events for when someone lets go of the mouse after clicking on a button or when someone on a touchscreen (mobile) device lets go of the screen after pushing a button. This means that once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form is extracted along with their name and sent to the attacker’s server.

5) Ability to change a script leaves open the question of privileged access management, and how contained the attacks are:

…the fact that they were able to modify a resource for the site tells us the access was substantial…British Airways wasn’t a compromise of a third-party supplier like the attack on Ticketmaster, it does raise the question of payment form security…

Kudos to RiskIQ for providing a dump of their data collection and analysis of what changed in the scripts.

In summary, this example of a blacklist failing is a very good case for why whitelists are better. Had British Airways been monitoring their payment script for changes (2012 script modified in 2018, to look like a script from 2012) and used cryptographic signatures, they would have been able to detect this attack. No blacklist is going to find a business process attack designed to look like the business process, unless exceptionally lucky, once a privilege escalation has occurred (essentially an impostor scenario). At that point change control and alerting is the last and best line of defense.

I think it worthwhile, especially for those engaged in hack back and active defense, to take time to compare and contrast these current stories and their narrative styles:

First, “Don’t Punish A North Korean Hacker Just For Following Orders”

My name is Jake, and I’m a former U.S. government hacker. I eventually quit for a number of reasons that don’t need to be discussed here. But for obvious reasons, I have some strong opinions about the American government criminally charging the hackers of other nations. When considering any criminal charges, context is important.

Charging Park Jin Hyok, (or any North Korean government hacker) as an individual is a human rights issue. Even assuming that the intrusions have been correctly attributed to Park, it’s important to note that Park had no choice in his actions.

Next, “Blackwater security guard murder retrial ends with hung jury”

Slatten, a former Army sniper, was found guilty of first-degree murder and sentenced to life in prison in April 2015 for firing the first fatal shots. An appeals court overturned Slatten’s murder conviction in August 2017, ruling that the initial trial court abused its discretion in not allowing Slatten to be tried separately from three other co-defendants and also found that the 30-year sentences violated the constitutional prohibition against cruel and unusual punishment.

Blackwater and its employees have faced legal controversy for activities during the Iraq war. In 2014 the UN Working Group on the use of mercenaries urged stronger global and regulation of private security companies. The call came on the heels of the guilty verdict against the four ex-Blackwater security guards. In 2012 Blackwater agreed to settle federal criminal charges dealing with export and firearm violations. Also in 2012 Blackwater reached a confidential settlement agreement with survivors and families of victims in the 2007 shooting incident. Blackwater ceased operations in Baghdad in May 2009 when its security contracts expired and were not renewed.

And finally, perhaps most significantly of all, “Canada’s special forces kept too many secrets about Afghan missions, says report”

A decade ago, military police launched an investigation into allegations made by a member of the Canadian special forces, who accused his colleagues of crimes as serious as murder.

The soldier claimed another special forces member, who was never identified, gunned down an Afghan man who was trying to surrender during a raid by coalition forces in 2006.

That investigation concluded with no charges, but morphed into a second, larger probe that examined a series of incidents between 2005 and 2009.

A second allegation surfaced — that U.S. forces, on a Canadian-led raid that may have taken place in 2006, executed an Afghan.

[…]

While the board said in its report it is aware of the need for mission secrecy, “the mere fact CANSOF claims something to be a matter of operational security does not necessarily make it so.”

All of the secrecy, said the report, “affected reporting on operational matters,” even within the organization, and many members “relied exclusively on verbal reporting, with a tendency to report only minimal operational information using vague and imprecise language.”

The result of that, said the inquiry report, was to leave senior commanders in the dark.

So in reverse order (no pun intended), (3) since senior commanders may be in the dark and “orders” shouldn’t shield abusers, and (2) since orders also can be filtered through organizational/relativity shifts like government staff taking private roles leading to even greater abuses, therefore (1) a former government employee in a private role saying he doesn’t want anyone following orders to be accountable…sounds very wrong to me.

The first article seems to support the opposite of the conclusion we should end with.

Also note that the author of this article (who wants us to not hold individuals accountable and instead treat people as simple order followers no matter what they do) literally says people in North Korea have absolutely no choice. His proof? He did a google search and believed it:

Let’s bring this example back to the cyberworld. Because Park was born and lives in North Korea, there’s no doubt that he was indoctrinated by the state from birth. The fact that North Korean citizens are institutionally brainwashed to unquestioningly follow the orders of the state is not a matter of debate. For those who defy the orders of the state, the penalties are severe—both for the offender and their families. If you doubt this, just Google “three generations of punishment rule” (caution: I can’t mentally prepare you for what you’ll see).

It is not a matter for debate because Google Search? This is clearly problematic reasoning. Dare I say some people in America are brainwashed to unquestioningly believe the results of Google?

But seriously, regime change study and practice is premised on all kinds of robust debates about the “facts” that this author so blithely tossed aside. He doesn’t like debate probably for the same reason he wants his superiors to take all the blame for his actions.

This is someone who appears to have been indoctrinated by his own state about his adversary’s state, which is not all that uncommon, yet still is disappointing. I’m going to go out on a limb here and say he didn’t bother to independently keep up with the long-time trends of dissent technology in North Korea.

Before flash drives became more widely available, North Koreans relied heavily on DVDs to view illegal movies, TV shows and other content smuggled into North Korea from China, according to North Korean defectors interviewed in a 2012 report by the global research consultancy InterMedia. But North Korean authorities attempted to crackdown by selectively cutting off electricity to certain neighborhoods and seeing if any households had illegal DVDs stuck inside the DVD players.

By comparison, North Koreans can easily unplug flash drives from TVs or mobile devices and hide the devices if needed. That consideration helped push the growing popularity of USB flash drives. One male North Korean who left the country in 2013 recalled having used USB flash drives since 2003, according to an interview included in a more recent 2017 report by InterMedia.

Does that sound like “institutionally brainwashed to unquestioningly follow the orders of the state is not a matter of debate” to you?

So the article that pleads against holding hackers accountable also goes on to make some weirdly relativistic arguments about ethics. If it is going to start out with a broad statement about human rights as inherited (universal), why backpedal into notions of controlled rights and say people under strict order culture can’t possibly understand when they’re told to do something unethical? The whole thing put together doesn’t make logical sense, aside from being divorced from political theory and reality. If the author can appeal to general human rights, then he is exhibiting how hackers anywhere can think independently enough to be held personally accountable.

Anyway, just for good measure I did Google “three generations of punishment rule” and the third result was:

Christians must support North Korea’s “three generations of punishment rule”

It’s true, I’ll grant him, I needed more preparation for seeing that.