Home / Robin's Newsletter

Robin’s Newsletter #122

 Vol. 3  Iss. 42  18/10/2020   Robin Oldham  ~7 Minutes

This week

ICO issue British Airways with £20M fine

The ICO has issued British Airways (BA) a £20 million fine for lax security practices that allowed a MageCart card-skimming group to steal the personal information of 400,000 customers (vol. 1, iss. 12).
 The fine comes after two years of investigation and an ‘intention to fine’ notice of £183 million (vol. 2, iss. 28) fifteen months ago. The final penalty is therefore just under 11% of the original notice and less than the £22 million that BA set aside in its most recent financial statements (vol. 3, iss. 31). 
 The penalty takes into consideration the economic situation that the airline industry is facing caused by the global Coronavirus pandemic. Those considerations amount to £6 million, with a further £4 million in goodwill because BA cooperated with the investigation. That leaves £150 million reduction due to the representations BA made following the notice of intent that appears to have convinced the regulator that they were less at fault than previously believed. I wonder how the legal fees compare to the £150M they saved.

The report itself goes into some detail of how the attack unfolds and doesn’t leave BA’s security approaches before the breach covered in glory.
 The attack started with attackers gaining access to a Citrix account used by a Swissport employee in Trinidad and Tobago. The account did not have multi-factor authentication enabled for it, though the airline has now secured all remote access using MFA. Interestingly part of the reason to fine BA was because they had a policy requiring MFA, but that it was not applied to this third-party access, nor could they indicate why the system and its users were subject to an exception.

From there, the attackers were able to pivot and gain access to the wider BA network where they found domain admin username and password in a plaintext file. The report indicates BA were not monitoring for failed admin login attempts, or the use of guest accounts (that the company had disabled).
 BA had also been logging payment card details in plaintext to logfiles since 2015 - a feature that was intended only for use in test environments and was left on by human error - while log rotation limited the exposure to the last 95 days. This is in breach of the payment card industry (PCI-DSS) regulations.

The attacker at this point was also able to use their access to modify files on the BA website and implant javascript used to skim payment card details from the checkout process to a separate website controlled by the attacker. While BA had a change management process, it was a people and process-based, with no technical checks or controls in place to detect unauthorised changes.

BA took action to remove the script and report themselves to the ICO two months later after being notified by a third-party.

The failings ‘constitute a serious failure to comply with GDPR,’ according to the ICO’s report, however, they were supportive of the airline’s approach to notify them and actively issue a press release to 5,000 journalists to notify customers and ensure they were aware of the circumstances.
 10% of the 400,000 affected individuals took up BA’s offer of free credit monitoring.
 What’s clear from the report are significant attempts by BA’s lawyers to minimise and take issue with the way that the ICO arrived at the value for the penalty. Many paragraphs of the report are devoted to rebutting these arguments and it’s interesting to piece together parts of the legal defence and negotiations that go alongside such a large regulatory action.

While the ‘final amount’ has been arrived at, there is still an opportunity for BA to appeal the decision.

ico.org.uk, theguardian.com, techcrunch.com, theregister.com

Interesting stats

$1,875 median price asked by sellers of network access used by ransomware groups zdnet.com

3/4 organisations apply software patches within a week of release, 39% apply patches to servers and internet-facing assets within 24 hours

45% / 30% / 25% time-split spent by IT teams on prevention / detection / response to cyber security issues

29% of ransomware victims had five or more suppliers connecting into their networks, compared with 13% that did not become victims

…according to an independent survey for Sophos of 5,000 IT Managers in 26 countries sophos.com (PDF)

Other newsy bits

Microsoft used trademark law in TrickBot takedown

An interesting read on Microsoft’s “sneak attack” on the TrickBot operators using trademark and defamation law to seize control of command and control domains used by the botnet. The phishing lures, that pose as Microsoft notifications, “mislead Microsoft’s customers” and causes Redmond “extreme damage” to their brand. The move comes hot on the heels of US Cyber Commands attack last week against the botnet. The long-term impact on TrickBot’s operations does not appear to be significant, it is operating at a much-reduced rate. Earlier this year Bobby Chesney and Risky Business podcast host Patrick Gray discussed the idea of ‘releasing the hounds.’ For cybercriminals the use state capabilities, in so-called ‘persistent engagement’ operations, to disrupt and degrade their operations may not only keep them on their toes but increase to slip-ups that result in the perpetrators being caught by law enforcement. krebsonsecurity.com, lawfareblog.com, cyberscoop.com

Contact tracing being exploited by private firms to capture personal data

Wagamama, a Japanese restaurant chain in the UK, has been reported to the Information Commissioner’s Office for using contact tracing data for marketing purposes.

The UK’s data regulator will look into how the company positions its ‘Track and Pay’ system which pushes customer’s to provide contact tracing details and also pay digitally as well as opt-in to marketing offers.

QR codes (square digital barcodes) have become a popular method to direct customers to webpages and provide their details. Whilst the data should only be captured, and retained for 21 days, for compliance with COVID legislation, businesses are also capitalising on user’s compliance to capture data for other purposes.

The privacy policy for Pub Track and Trace (PUBTT) who charge venues £20 per month, says that data may be used to “make suggestions and recommendations” about products and services and that it may be shared with “fraud prevention services or credit/background checks.” Competitor Ordamo’s says that data will be held for 25 years.

These services are unrelated to the national scheme and giant QR codes used by the NHS Test & Trace app.

The Guardian looks at how passing contact tracing details to law enforcement for investigation purposes undermines trust. Chief medical office Chris Whitty said it could discourage people from being tested for the virus.

The mass collection of sensitive personal information rightly requires a high bar and the ICO is investigating PUBTT and Ordamo amongst fifteen contact tracing solutions that have sprung up with dubious privacy policies. thetimes.co.uk (Wagamama), thetimes.co.uk (PUBTT, Ordamo), theguardian.com

In brief

Attacks, incidents & breaches

  • Hackney Council, a London borough, has become victim to ransomware attack leaving them unable to make housing benefit payments, potentially leaving thousands of residents unable to make rent payments sky.com
  • Barnes & Noble victim of ransomware attack, email and billing addresses, as well as purchase history, likely stolen bleepingcomputer.com
  • Source code and other data allegedly stolen from Ubisoft, Crytek appears on data leak site ahead of game launch zdnet.com
  • Seller on carding site claims to have 3 million payment cards from US restaurant chain Dickey’s BBQ cyberscoop.com

Threat intel

  • Accenture Security take a look at the rise of ‘Network Access Sellers’ on dark and deep web forums that do the initial leg work to gain access to a victims network, then sell access to other criminal groups accenture.com
  • Qbot is using ‘Windows Defender’ theme to manipulate users into enabling macros that install malware bleepingcomputer.com
  • Mandiant release details of group it’s calling FIN11 that targets Pharma and healthcare organisations with ransomware cyberscoop.com

Vulnerabilities

  • CISA warns users of FoxIT’s PhantomPDF suite to update following string of high vulnerabilities theregister.com
  • Patch Windows 10 and Windows Server 2019 to avoid ‘wormable’CVE-2020-16898 ”Bad Neighbour” vulnerability in the way they handle IPv6 ICMP packets, says US Cyber Command bleepingcomputer.com
  • SonicWall VPN vulnerability scores 9.4/10, patch available zdnet.com

Internet of Things

  • Android IoT devices co-opted into bot net offer anonymous browsing services for profit arstechnica.com

Public policy

  • US, UK, Canada, Australia, New Zealand, India and Japan call on tech companies to add backdoors to end-to-end encryption to support law enforcement and “respond to violations of their terms of service” zdnet.com

Law enforcement

  • Members of QQAAZZ group that laundered money or Dridex, Trickbot and GozNym cybercrime groups charged in joint US-Portugal operation zdnet.com

And finally

David Mitchell on that CyberFirst ad

Oh Fatima. What a week. I think we should all take a good long laugh at it, as David Mitchel says in his column: “it is not just a bad advertisement, its badness has reached a point of delightful perfection… It’s enough to inject humour even into a cybersecurity workplace.” theguardian.com