Netflix Public Bug Bounty

Netflix announced a bug bounty program for their website, mobile apps and about a dozen other web properties this week offering rewards between $100 and $15,000 for each discovered vulnerability.

Bug Bounties are nothing new to Netflix – but you wouldn’t know it because Netflix has been engaged in an invite-only private bug bounty program for the last five years and recognizes bug hunters in a “Hall of Fame” menu which is a nice touch. Netflix launched the Responsible Vulnerability Disclosure program privately in 2013 and decided the experience was productive.  As a result, they opened the program publicly this month on the Bugcrowd platform.   Acknowledging the bug hunters involved in the private program is a positive message to the community that the company is highly engaged in the cyber security realm.

The bug-busting invitees come from Bugcrowd’s top 100 ranked bug hunters.  The bug hunters submitted 275 bugs of which 145 were determined to be valid. This seems like a low bug total and may be attributable to the engineering culture of ownership and security at Netflix.

There are strict guidelines posted on Bugcrowd.  The authorized cyber-targets are clearly explained here, as are what targets are off-limits.  They also explain a few caveats in testing; You must hack against your own account and if you reach an unauthorized area or discover private information when attacking, you must stop immediately and submit a bug report.

The bounty matrix is clearly described in Bugcrowd with the highest bounties of $15,000 focused on the Netflix API and

Under Armour Under Attack

Under Armour revealed that the companies popular MyFitnessPal app had been hacked last week and began notifying customers on Thursday.  The stolen data includes user names, email addresses and scrambled passwords but added that Social Security numbers, driver license information and payment card data was safe.

The press release states that 150 million accounts were affected.

Why I’m writing this article:  Companies experiencing significant data breaches have been releasing minimalistic press releases and hoping that the news media doesn’t notice the fact that a data breach affecting millions of people occurred.   Companies are not conspicuously posting notice of the breech on their website.  Wonder why?   Because there’s not requirement to conspicuously post it on the company Home page.

The only reason why we discover data breach even occurred at a publicly traded company is thanks to the Securities and Exchange Commission- the SEC.  The SEC requires a publicly traded company to make financial notifications that may affect investors.  Failure to do so could be a criminal violation, but certainly is a regulatory violation.

Under Armour posted the data breech information on their investor relations page because it must be there – a shareholder notification was required – I don’t get a feeling that they posted it there for the sake of corporate transparency.  Data breeches should be regulated and there should a reporting requirement that includes a conspicuously posted notice on the Homepage page of a company website.

The scarlet ‘B’…

Financial Fallout from Cyber Attacks: Merck Pharmaceuticals.

I discovered an article on that immediately grab bed my attention: “The Financial Fallout of Data Breaches”.  I’ve researched the costs of breaches recently, but most estimates seem to offer an average cost perspective on breeches.  The article was different because it gave a specific cost that a large corporation with local presence incurred because of the Notpetya ransomware attacks in 2017.  That company is Merck Pharmaceuticals.

It’s important to understand that notwithstanding the reputational cost associated with the attack itself, Merck also incurred losses related to IT infrastructure, drug sales, drug manufacturing and research, and drug inventories.   But it doesn’t stop there.  There’s additional legal and regulatory costs after the Federal and State governments investigate and access fines in the future.  Then there’s costs, to be determined later, resulting from lawsuits from other companies or people harmed by Merck because of the breach.

I apologize for copying and pasting the relevant section from Merck’s recent Annual Report, but it’s so succinct in it’s legalize explanation of how much the attack cost the company.

Merck’s Annual Report, form 10K, revealed that: “On June 27, 2017, the Company experienced a network cyber-attack that led to a disruption of its worldwide operations, including manufacturing, research and sales operations. All of the Company’s manufacturing sites are now operational, manufacturing active pharmaceutical ingredient (API), formulating, packaging and shipping product. The Company’s external manufacturing was not impacted. Throughout this time, Merck continued to fulfill orders and ship product. Due to the cyber-attack, as anticipated, the Company was unable to fulfill orders for certain products in certain markets, which had an unfavorable effect on sales in 2017 of approximately $260 million. In addition, the Company recorded manufacturing-related expenses, primarily unfavorable manufacturing variances, in Materials and Production costs, as well as expenses related to remediation efforts in Marketing and Administrative expenses and Research and Development expenses, which aggregated $285 million in 2017, net of insurance recoveries of approximately $45 million. Due to a residual backlog of orders, the Company anticipates that in 2018 sales will be unfavorably affected in certain markets by approximately $200 million from the cyber-attack. Merck does not expect a significant impairment to the value of intangible assets related to marketed products or inventories as a result of the cyber-attack”

Lastly, Merck indicated that it is engaging in an ‘enterprise wide’ effort to improve its resiliency against future attacks and improve the speed at which they can recover in the future.  That cost will likely be detailed in next year’s Annual Report.

My math puts the cost at $745M and still counting.




Orbitz – Your Trip to Cybervictimville is Booked!

Travel company Orbits announced a security breach that compromised over 880,000 customer accounts over a two-year period from January 2016 – December 2017.   Orbits is a travel and vacation package aggregator and direct competitor of Priceline.

According to Expedia, who owns Orbitz, “Criminals had access to Orbitz consumer and business partner platforms, but not the website. The consumer side of the Orbitz business platform was open to attack during the first half of 2016, while the partner platform was open to attacked between Jan. 1, 2016 and Dec. 22, 2017.”

According to the press release, the breach allowed attackers to steal names, dates of birth, billing addresses, email addresses.  Expedia was clear to apologize but added that there was evidence that the data was actually stolen; I’d would love to have Expedia explain to me how they arrived at that conclusion (Hackers apparently just like to look at data for two years).  There was no mention if passwords were also stolen.  Expedia explained that the attack targeted third party vendors and not the Orbitz website.

Financially, this will likely have a negative impact on the valuation of parent company Expedia whose stock price has underperformed in the past year.  Not only is the breach a reputational hit, it’s an unplanned expenditure of millions of dollars for the 880,000 customers who accept Expedia’s offer for credit monitoring because of the breach.  I wonder if Expedia will contract with Experian to perform the monitoring service?

From a prevention perspective, it’s important to use unique passwords for each web property you interact with – Never reuse passwords! The lesson here is that if a hacker acquired your reused password at Orbitz, he/she would have it for other sites as well.

For Orbitz, the key takeaway is to be vigilant of your third-party vendors and their networks – especially their legacy systems.  The days of making your vendors demonstrate the security of their networks is here.

What I find most interesting is American Express also revealed a breach recently blaming a third-party vendor just as Orbits has done.   Neither company has identified the third-party vendor.


Cyber Security Due Diligence

Automatic Data Processing (ADP) recently purchased WorkMarket, a payroll company, in January of this year after WorkMarket.  In and of itself this Merger and Acquisition story is uneventful, except that the WorkMarket positioned itself above other possible acquisition targets by having solid cyber security.    WorkMarket satisfied the Risk Management, Cyber Security and Financial Crime specialists ADP sent to the company as part of the due diligence process phase of the acquisition.  ADP rejected other companies that did not pass this new aspect of due diligence.

Companies cyber security is now a part of the acquisition due diligence phase of mergers and acquisitions.  The most popular impact that failed cyber security has had on an acquisition is the story of Verizon’s purchase of Yahoo.  Initially, Verizon offered $4.48 Billion for Yahoo but ultimately renegotiated the acquisition deal after discovering the extend of Yahoo data breaches.  Verizon bought Yahoo for $350 Million – a loss of $4 Billion for Yahoo shareholders!

The question is: What gets accessed?  The assessment is a logical evaluation of the data and network.  Here’s the inspection points:

An in-depth assessment of the Network:  A physical assessment of the network is completed including penetration testing, a check to make sure that all patches are current and a check that the network is properly protected.  The policies and procedures are also evaluated.  Undiscovered breaches would be a bad thing to happen in this phase!

National Institute of Standards and Technology:  Does the company follow and adhere to cyber security best practices that address interoperability, usability and privacy? Do they adhere to suggested configurations and vulnerability management?

 Network Employee Evaluation:  The Certifications and training of their network employees will be evaluated.

Third Party Vendors:  An evaluation of which services are relied upon to deliver portions of the network or network services will be reviewed.  The structure of the network will be reviewed including its cloud components and how the company assesses the vendors for their network components.

Their Physical security:  All the best cyber security in the entire world can quickly be undone is someone can enter your facility and access the network.

Regulation:  Relationships with regulators and regulatory action will be investigated. Prior breaches and how breaches are handle would be assessed.

Data Usage and Privacy policies.  A check of various Privacy policies, since they change over time, will be made and an evaluation of various data usage policies and how the Acquiring company can use the data moving forward.

Startups and small companies who want to be targeted for acquisition, must now make cyber security and safeguarding their network a high priority to avoid being discarded as too risky in the due diligence phase.

Sources:, Cyber Security Due Diligence in M& A Transactions, Sullivan and Cromwell, LLC., John Evangelakos





GitHub Amplification Attack

According to, “On Wednesday, February 28, 2018 was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a distributed denial-of-service (DDoS) attack…. Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack. The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second.”

Amplification attacks are a specific type DDOS attack in which the attacker uses a botnet to leverage a vulnerability in the User Datagram Protocol (UDP) protocol to spoof the victims IP address and trick legitimate servers (called “reflectors” or “amplifiers”) into sending packets of data ‘back’ to the victims DNS servers flooding them.  The amplification happens when the response data to the victim is larger, up to 51,000 times greater for the UDP protocol, than the packet sent to the reflectors by the attacker.   The legitimate servers are simply responding to a UDP packet request received on port 11211 and have no idea they are part of a leveraged attack.

Why target the servers using the UDP protocol?

Companies use UDP to speed up data exchange between servers; it’s faster because the packets are not error checked. This means there is no process to verify if the packet has been sent or received.  Since there’s no packet checking, there literally is no way to check if the request is legitimate.  The server simply responds to each request making UDP servers perfect ‘reflectors’ for Amplification attacks.

How to Stop Amplification attacks?

Detecting an Amplified attack is trivial: GitHub had an alarm set when the ratio of ingress and egress traffic triggered a threshold.   That’s the easy part.  Once you realize there’s a problem, your response is limited.  In the case of the GitHub attack last week, the traffic was routed to Akamai who provided a service that scaled and distributed the huge packet volume using Akamai network capacity and software to create automated access control lists.  They blacklisted legitimate servers to stop the attack.

Stopping these types of attacks is difficult.  Generally, recommendations are focused on longer term best practices;

  1. Developers should stop using the UDP protocol and only use TCP instead so that packets can be verified and checked.
  2. Re-configure poorly configured UDP servers and do not use the default settings. Try to limit their responses to only trusted sources.
  3. Push to have all Internet Service Providers (ISPs) use Unicast Reverse Path Forwarding (URPF) that can detect spoofed IP addresses from senders and dump the packet when malicious activity is discovered; such as an out-of-range IP address for the sender.

Sources:, Scaling memcache at Facebook.


OilRig: Iran’s Cyber Hackers

OilRig is Iran’s State-sponsored hacking unit established in 2015.  Since inception, OilRig’s capabilities have grown to the level of becoming the subject of articles on Palo Alto’s security blog.  Having started out with general Phishing attacks, they’ve matriculated into a more sophisticated distributor of targeted malware using compromised servers at IT companies throughout the Middle East.

What I find the most interesting about OilRig is they have developed skillsets that allow them to attack Israeli IT vendors and government agencies in a Nation-State that isn’t a financial powerhouse.  In essence, they’re scrappy cyber street fighters who continue to evolve into a capable unit with cyber-reach in the US East.

Their current Modus Operandi is to compromise the servers of IT vendors and send targeted email Phishing attacks to companies who use those vendors which carry an executable.   The latest attacks contained the OopsIE Trojan attached to emails that originated from the IT company servers.  What should be of particular interest is that one of their recent attacks was against a financial institution in Lebanon and that OilRig has already attacked a Vermont company to steal that companies SSL certificate codes to Phish targets.

According to Secure Reading this is how the attack works: “The macro creates a scheduled task which runs after waiting one minute to decode base64 encoded data using Certutil application.  It also creates a second scheduled task which waits for two minutes and runs a VBScript to execute the OopsIE trojan and clean up the installation.  The OopsIE Trojan is packed with SmartAssembly and obfuscated with ConfuserEx v1.0.0. It creates a VBScript file to run persistently on the system. The malware also creates a scheduled task to run itself every three minutes.  It uses HTTP to communicate with its command and control server using InternetExplorer application object.  The Trojan will construct specific URLs to communicate with the C2 server and parses the C2 server’s response looking for content within the tags <pre> and </pre>. The initial HTTP request acts as a beacon.”

We’ll continue to hear more about OilRig in the future, especially as behind-the-scene political shenanigans among Nation-states create new alliances against the United States.


Unlocking the Iphone

Apple triggered a large-scale security and privacy debate after the 2015 San Bernardino terrorist attack that claimed 14 lives.  The government wanted the IPhone unlocked to access the digital intelligence inside to ascertain if there was actionable intelligence.  Apple refused.

Apple’s position was focused on user privacy and encryption used in their IOS operating system; Apple wanted to protect the data from user base and prevent future security issues in IOS if they created a back door.  The Federal Bureau of Investigation (FBI) wanted the device unlocked quickly so to interdict other plots or identify co-conspirators in the attack.  I appreciate both sides of the debate.

Ultimately an Israeli company, Cellebrite, who that specializes in mobile digital intelligence, was contracted to unlock the device without Apple’s help and the IPhone5 was unlocked.  The court order served upon Apple to unlock their own device was withdrawn by the Government.  There will likely be similar fight someday in the future.

The Cellebrite website offers a service that unlocks, “Apple IOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running IOS 5 to iOS 11”.  “Devices are unlocked and returned within 10 days”.  IOS 11 is installed on Apple’s latest phone offering the IPhone X, which implies that it could be unlocked.

Unlocking Apple devices is both good news and bad; good if it’s in the public interest to quickly access a specific phone for actionable intelligence and bad if Apple cannot make an IOS version that keeps everyone’s personal data safe – which is the thrust of their argument against unlocking their own devices in the first place.  Fortunately, the true need to quickly access an IOS device very quickly is rare, so the debate has been shelved until the next need arises.

Don’t worry Android OS users, Cellebrite doesn’t discriminate – they offer the same service on a long list of devices that use the Android operating system.  Sometimes I wonder if any device can truly be made secure.

My final thought; isn’t it interesting that this unlocking service isn’t offered by a U.S. company? Why would that be?