RiskIQ Breaks Down the Magecart Role in BA Breach

The RiskIQ blog explaining their analysis of the giant BA breach, by scanning public domain information, is excellent and in-depth. Here’s the executive summary, five things you need to know, because several people have been asking me for this.

1) Small custom changes bypassed the usual monitoring and alarms:

…Magecart is so common for us that we get at least hourly alerts for websites getting compromised with their skimmer-code…[yet with BA] we had no hits in our blacklist incidents or suspects because the Magecart actors customized their skimmer in this case.

2) Thus, finding the attack meant looking for a different change, which turned out to be in the baggage claim code:

…we would verify all the unique scripts on the website and only look at them again if their appearance changed in our crawling. Eventually, we recorded a change in one of the scripts. Opening up the crawl, we saw this script was a modified version of the Modernizr JavaScript library, version 2.6.2…

3) Attackers became so familiar with their targeted environment they used several layers of obfuscation down to the infrastructure level:

The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection. We saw proof of this on the domain name baways.com as well as the drop server path. The domain was hosted on 89.47.162.248 which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server

4) Changes to the script were minimal and leveraged existing business logic to fit in, just enough to redirect payment information:

On websites, mouseup and touchend, are events for when someone lets go of the mouse after clicking on a button or when someone on a touchscreen (mobile) device lets go of the screen after pushing a button. This means that once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form is extracted along with their name and sent to the attacker’s server.

5) Ability to change a script leaves open the question of privileged access management, and how contained the attacks are:

…the fact that they were able to modify a resource for the site tells us the access was substantial…British Airways wasn’t a compromise of a third-party supplier like the attack on Ticketmaster, it does raise the question of payment form security…

Kudos to RiskIQ for providing a dump of their data collection and analysis of what changed in the scripts.

In summary, this example of a blacklist failing is a very good case for why whitelists are better. Had British Airways been monitoring their payment script for changes (2012 script modified in 2018, to look like a script from 2012) and used cryptographic signatures, they would have been able to detect this attack. No blacklist is going to find a business process attack designed to look like the business process, unless exceptionally lucky, once a privilege escalation has occurred (essentially an impostor scenario). At that point change control and alerting is the last and best line of defense.

Can Hackers Be Punished If They Claim to Have Been Given Secret Orders?

I think it worthwhile, especially for those engaged in hack back and active defense, to take time to compare and contrast these current stories and their narrative styles:

First, “Don’t Punish A North Korean Hacker Just For Following Orders

My name is Jake, and I’m a former U.S. government hacker. I eventually quit for a number of reasons that don’t need to be discussed here. But for obvious reasons, I have some strong opinions about the American government criminally charging the hackers of other nations. When considering any criminal charges, context is important.

Charging Park Jin Hyok, (or any North Korean government hacker) as an individual is a human rights issue. Even assuming that the intrusions have been correctly attributed to Park, it’s important to note that Park had no choice in his actions.

Next, “Blackwater security guard murder retrial ends with hung jury

Slatten, a former Army sniper, was found guilty of first-degree murder and sentenced to life in prison in April 2015 for firing the first fatal shots. An appeals court overturned Slatten’s murder conviction in August 2017, ruling that the initial trial court abused its discretion in not allowing Slatten to be tried separately from three other co-defendants and also found that the 30-year sentences violated the constitutional prohibition against cruel and unusual punishment.

Blackwater and its employees have faced legal controversy for activities during the Iraq war. In 2014 the UN Working Group on the use of mercenaries urged stronger global and regulation of private security companies. The call came on the heels of the guilty verdict against the four ex-Blackwater security guards. In 2012 Blackwater agreed to settle federal criminal charges dealing with export and firearm violations. Also in 2012 Blackwater reached a confidential settlement agreement with survivors and families of victims in the 2007 shooting incident. Blackwater ceased operations in Baghdad in May 2009 when its security contracts expired and were not renewed.

And finally, perhaps most significantly of all, “Canada’s special forces kept too many secrets about Afghan missions, says report

A decade ago, military police launched an investigation into allegations made by a member of the Canadian special forces, who accused his colleagues of crimes as serious as murder.

The soldier claimed another special forces member, who was never identified, gunned down an Afghan man who was trying to surrender during a raid by coalition forces in 2006.

That investigation concluded with no charges, but morphed into a second, larger probe that examined a series of incidents between 2005 and 2009.

A second allegation surfaced — that U.S. forces, on a Canadian-led raid that may have taken place in 2006, executed an Afghan.

[…]

While the board said in its report it is aware of the need for mission secrecy, “the mere fact CANSOF claims something to be a matter of operational security does not necessarily make it so.”

All of the secrecy, said the report, “affected reporting on operational matters,” even within the organization, and many members “relied exclusively on verbal reporting, with a tendency to report only minimal operational information using vague and imprecise language.”

The result of that, said the inquiry report, was to leave senior commanders in the dark.

So in reverse order (no pun intended), (3) since senior commanders may be in the dark and “orders” shouldn’t shield abusers, and (2) since orders also can be filtered through organizational/relativity shifts like government staff taking private roles leading to even greater abuses, therefore (1) a former government employee in a private role saying he doesn’t want anyone following orders to be accountable…sounds very wrong to me.

The first article seems to support the opposite of the conclusion we should end with.

Also note that the author of this article (who wants us to not hold individuals accountable and instead treat people as simple order followers no matter what they do) literally says people in North Korea have absolutely no choice. His proof? He did a google search and believed it:

Let’s bring this example back to the cyberworld. Because Park was born and lives in North Korea, there’s no doubt that he was indoctrinated by the state from birth. The fact that North Korean citizens are institutionally brainwashed to unquestioningly follow the orders of the state is not a matter of debate. For those who defy the orders of the state, the penalties are severe—both for the offender and their families. If you doubt this, just Google “three generations of punishment rule” (caution: I can’t mentally prepare you for what you’ll see).

It is not a matter for debate because Google Search? This is clearly problematic reasoning. Dare I say some people in America are brainwashed to unquestioningly believe the results of Google?

But seriously, regime change study and practice is premised on all kinds of robust debates about the “facts” that this author so blithely tossed aside. He doesn’t like debate probably for the same reason he wants his superiors to take all the blame for his actions.

This is someone who appears to have been indoctrinated by his own state about his adversary’s state, which is not all that uncommon, yet still is disappointing. I’m going to go out on a limb here and say he didn’t bother to independently keep up with the long-time trends of dissent technology in North Korea.

Before flash drives became more widely available, North Koreans relied heavily on DVDs to view illegal movies, TV shows and other content smuggled into North Korea from China, according to North Korean defectors interviewed in a 2012 report by the global research consultancy InterMedia. But North Korean authorities attempted to crackdown by selectively cutting off electricity to certain neighborhoods and seeing if any households had illegal DVDs stuck inside the DVD players.

By comparison, North Koreans can easily unplug flash drives from TVs or mobile devices and hide the devices if needed. That consideration helped push the growing popularity of USB flash drives. One male North Korean who left the country in 2013 recalled having used USB flash drives since 2003, according to an interview included in a more recent 2017 report by InterMedia.

Does that sound like “institutionally brainwashed to unquestioningly follow the orders of the state is not a matter of debate” to you?

So the article that pleads against holding hackers accountable also goes on to make some weirdly relativistic arguments about ethics. If it is going to start out with a broad statement about human rights as inherited (universal), why backpedal into notions of controlled rights and say people under strict order culture can’t possibly understand when they’re told to do something unethical? The whole thing put together doesn’t make logical sense, aside from being divorced from political theory and reality. If the author can appeal to general human rights, then he is exhibiting how hackers anywhere can think independently enough to be held personally accountable.

Anyway, just for good measure I did Google “three generations of punishment rule” and the third result was:

Christians must support North Korea’s “three generations of punishment rule”

It’s true, I’ll grant him, I needed more preparation for seeing that.

Pentagon Addresses “high turnover and the assignment of new members” After Deadly Niger Ambush

Communication gaps between teams, caused by instability of field relationships, has been faulted for the ambush that killed US Green Berets:

“The Niger 15-6 investigation found that there were areas where training was insufficient, including pre-deployment collective training for Team Ouallam due to high turnover and the assignment of new members,” Maj. Karl Weist, an AFRICOM spokesman, said Wednesday in a statement to Military Times. “As a result, a recommendation was made to address areas of improvement.”

Expansion of force and new facility is one of the improvement areas already underway and nearing completion, according to the same article:

The U.S. Air Force is also close to opening Niger Air Base 201 on the edge of the Sahara Desert, which is the largest airmen-led construction project in the history of the service, according to Air Force Capt. Mayrem Morales, a U.S. Air Forces Africa spokesperson.

The base’s total cost will be roughly $98.5 million, according to Morales. The base will eventually house the U.S. armed drone mission in Niger that currently operates out of Niger’s capital, Niamey.

This news comes only a month after the Pentagon suggested nearly the opposite plan, that turning over control and assignment of new members would help their efforts in Africa:

“They can do it on their own,” Waldhauser said. “That would be an example of a country where we have worked ourselves out of a job.”

Niger was also listed in the Times’ interview with [Marine Gen. Thomas Waldhauser, the leader of U.S. Africa Command] as a country where local forces are getting to a point where they may soon not need U.S. oversight on missions, despite that country being the place of the deadly October ambush. The Pentagon’s investigation into the attack found shortfalls that led to the disaster stemmed from a lack of “command oversight at every echelon.”

And just for good measure, to really confuse everyone about the value of teamwork and clear communication channels, Waldhauser also told the NYT “the United States would still ‘reserve the right to unilaterally return’ to protect American interests”.

So clearly the US is committed to engaging more closely with teams in the field to open better lines of communication and bringing more investment to avoid disasters…by initiating a draw-down of forces, handing things over completely while reserving the right to appear anywhere anytime as they decide alone.

To be fair, drawing-down and handing things over can also mean teamwork. Perhaps there was an American advisory role that led to the French claiming the ability to track down one of the leaders of the group that took responsibility for the ambush, killing him and nearby civilians (bodyguard, and unidentified woman with a child) in a new airstrike report.

Mohamed Ag Almouner — a top leader of the Islamic State in the Greater Sahara — was found dead after an airstrike Sunday night by two Mirage jet fighters, the French army said Monday.

This followed a report from the US four months ago targeting members of the group involved in the ambush and their leadership:

One of the three militants that led the ambush, Doundoun Cheffou, is most likely alive, according to government documents that were described to The New York Times by two United States military officials who were not authorized to discuss them publicly and spoke on the condition of anonymity.

The other two militants — Tinka ag Almouner and Al Mahmoud ag Baye, the latter of whom is believed to have trailed the team of Americans until shortly before they were attacked — were killed in the ambush.

Two higher-ranking militants are also likely alive and connected to the attack, although it is unclear how, according to one of the military officials.
[…]

At the meeting, the officials also discussed methods to help track the militants who participated in and helped orchestrate the ambush — an endeavor that could take years.

…or apparently just a few months, given teamwork as well as communication improvements. So there is turnover, and then there is turnover.

Harley-Davidson Moves Research to Northern California

Well I have to say I was wrong twelve years ago about diesel motorcycles. No matter how patient I was for those Kawasaki to arrive, in the back of my head it was clear that hackers around me loved the zero-power-curve of electric bikes more than the long-distance of diesel.

At one point many years ago I was stuck in a long car ride around rural France (ask me another time about war-driving) with an aeronautical engineer and to kill time I opined about the benefits of light motorcycles with batteries easily outperforming gasoline. Only a few months later, back stateside, I received an email thanking me because he had built one himself and now was commuting effortlessly and with a smile.

I was gruntled, yet still awaited news of a diesel. Something about the plug-in/range didn’t suit my sense of riding.

With Harley, king of the long-haul open-road bikes, making a major electric research announcement like this, I officially give up on diesel bikes making it to civilian life:

Harley-Davidson, Inc. (NYSE: HOG) announced today it will establish a new research and development facility in Northern California to support its future product portfolio, including the company’s first complete line of electric vehicles.

Many, many years ago I worked on Cabletron switches, which in a bizarre twist led me to Milwaukee, WI. Unbeknownst to many, if not most, Harley was at that time doing cutting edge IT deployments. Also I attended wedding parties there of Harley workers that ended with the couple describing Harleys they would ride to California. I mean high-tech Harleys in California does make sense, in spite of their oil-splattered tinkering owners group heritage.

Until now my heart still ached for that Kawasaki diesel dual-sport we were promised. Oh well. The time has come to say diesel bikes aren’t going to make headlines. Perhaps electric range soon will be less of an issue as Harley clearly thinks about that spectrum. But will HOGs be able to keep their tinkering ways or is DRM also coming?