Welcome to Cyber Security Today, the Week in Review edition. I’m Howard Solomon, contributing reporter on cybersecurity for IT World Canada. Today I’ll be looking back at some of the big news stories in the past seven days with Terry Cutler of Cyology Labs. To hear the podcast click on the playback arrow:
First, here’s some of the highlights:
The U.K. privacy commissioner fined British Air the equivalent of $34 million for a 2018 data breach that exposed information on 490,000 passengers and employees. An unnamed attacker used the username and password of a Trinidad-based employee of BA’s cargo handler, Swissport, to access the airlines’ IT system. The attacker then compromised the airlines’ website so it could copy passengers’ credit and debit card numbers as they bought tickets online.
New York State’s financial regulator criticized Twitter for poor security in letting the attackers tale over accounts of celebrities to push a “double your bitcoin” scam. A few employees fell for a phone call from someone pretending to be from Twitter’s IT department. They were having problems logging into the system through a new VPN. The hackers sent the employees to a lookalike website and told to login there. Meanwhile the attackers were copying the username and password into the real company login page to get into the system. Just as bad, the report said, Twitter didn’t have a chief information security officer for seven months before the hack. That sent a message cybersecurity wasn’t a top priority at the company, the report said.
If your organization wants to know which are the most serious vulnerabilities to patch, the U.S. National Security Agency is able to help. It issued a list of the 25 most commonly used vulnerabilities exploited by Chinese state-sponsored cyber attackers. The list includes holes in products from Pulse Secure, F5 Networks, Citrix, Microsoft, Adobe, Oracle, Cisco Systems and others.
A ransomware gang tried to butter up its image by donating $10,000 of the money it squeezes out of corporations to a charity. The charity says it will have nothing to do with money obtained by crime.
Finally, tired of having to remember the PIN number to your credit card? Mastercard is continuing testing a solution: A credit card with a fingerprint reader. According to the ZDNet news service, the test started in 2017 in South Africa, and has now moving to Asia and Australia.
In the interview section I turned to Terry Cutler, chief executive of Montreal-based Cyology Labs, who has been advising organizations for years on cybersecurity.
First the British Air hack. It started with the hacker getting hold of the login credentials of a cargo worker who worked for a contract company, a classic hack through a supplier. I asked Terry what struck him about the airlines’ security after reading the report?
“What really struck me was how some of these things may not have worked,” Cutler said. “I think they did everything they could within their budget scope and convenience requirements. So the breach started with the third party company getting their credentials stolen. Now, how could that have happened? Maybe they leaked onto the dark web (or) the guy never changed his password, whatever. But British Airways are not necessarily in the business of testing third party suppliers networks, right? Their scope ends up their network and their contracts will say the third party should be testing their own networks and providing annual penetration tests and such, and maybe provide the report to British Airways if possible. But what’s interesting is that once the system was compromised and [the attacker] was able to sign in there would be no detection in place for that because it’s a legitimate login, right? It’s not like the account was brute-forced or anything. It was a legit login.”
I noted the report also says that the airline had a policy that all login to applications had to be protected with multifactor authentication. But 13 out of the 243 apps weren’t protected that way. Doesn’t that show a little carelessness on the airlines’ part?
“It could,” Cutler replied. But at the same time, and this is based off my experience, when I do penetration testing for the clients sometimes they use software that is outdated and can’t work with newer technology and they’re forced to revert to the unprotected style.”
Later I asked him to comment on the Twitter attack, which started with hackers phoning select employees pretending to be Twitter’s IT help desk. Employees got directed to log into a lookalike website for staff. Could Twitter’s security have been better?
“Here’s the challenge that I see,” he replied. “Whenever I get hired to do a penetration test they say, ‘We want to get all our systems tested. We’ll make sure that we can’t be hacked,’ but the moment we [testers] say, ‘We want to test your ticketing system or specialized system that could possibly cause disruption’ ..all of a sudden now it’s like completely out of scope [of the test]. They’ll say, ‘No, go test it on our development environment,’ which by the way, rarely looks at all like the real online version. So we’re testing an old platform. So we can only say, ‘Yeah, there’s a vulnerability here, patch it up. But then if they try to patch it up, maybe it breaks functionality or they don’t have time to test it. ”
To hear the full interview, click on the playback arrow near the top of the story.