The Security Ledger

Episode 83: Who is hacking the Olympics? Octoly’s Influencer Breach and Google plays HTTPS Hardball

The Winter Olympic Games at PyeongChang South Korea have been targeted by hackers. But who is doing it, and why? (Image courtesy of International Olympic Committee.)

In this week’s Security Ledger Podcast (#83): McAfee Chief Scientist Raj Samani talks to us about that company’s research into a string of targeted attacks on the organizers of the 2018 Winter Olympics in PyeongChang, South Korea. Also: information on 12,000 YouTube stars, Instagram power users and other online influencers was leaked online by the French firm Octoly. We interview Chris Vickery of UpGuard, who found the data trove. And: Google says it will start playing tough with web sites that haven’t made the cutover to secure HTTP come July. Jeremy Rowley of the firm DigiCert* joins us to talk about what that will mean for web sites that haven’t kicked the HTTP habit.

The Winter Olympics kicked off last week in PyeongChang, South Korea, following weeks of reports of cyber attacks against the Olympics organizers.  And lo and behold, before the Olympic cauldron was even ignited, cyber attacks reportedly took down television monitors around at the Olympic stadium as well as the games’ wireless networks. Who wants to hack the Olympics and why? To find out, we invited Raj Samani, McAfee’s Chief Scientist to talk about what we know about the attacks on the Olympics and who is behind them.

Targeted, fileless attacks on the Olympics

Samani said that hundreds of organizations participating in the PyeongChang games have been the targets of sophisticated phishing attacks that used so-called “fileless” malware to place malicious DLL (dynamic link libraries) on targeted systems – apparently with the intention of stealing data from them. All signs in the attack point to a sophisticated adversary, Samani said. Attacks against events like the Olympics aren’t unusual, but campaigns of this sophisticated and targeted are, he said.

Researchers at McAfee say the attacks on the Olympics organizers were well planned out and designed to conduct espionage. (Image courtesy of International Olympic Committee.)

There is also evidence that at least some of the attacks were successful, though who might be behind them isn’t known. “The game of attribution roulette is well underway,” he said. Whoever it was had “Korean language skills,” he said. And while it might be easy to point the figure at “The Usual Suspects” – North Korea or even Russia, whose athletes are banned from competing under the Russian flag in PeyongChang, it is much more difficult to prove who is behind the attack, he said.

YAS3L – Yet Another S3 Leak

It wasn’t that long ago (Episode 76 to be exact) that Chris Vickery of UpGuard was warning us about the leak of data on 123 million US households from the firm Alteryx. This week, it was data on 12,000 online influencers, including YouTube and Instagram celebrities, painstakingly compiled by the firm Octoly. The leaked data* included the real names of Octoly’s clients, mailing addresses, Paypal account information as well as user names and hashed (encrypted) passwords that might also grant hackers access to other accounts controlled by these online superstars.

Behind both incidents lies a common culprit: insecure cloud storage containers hosted by Amazon.com. To understand a bit more about how these head-slapping breaches keep happening, even after all the bad press, we invited Vickery back into the Security Ledger studios to talk about how he found the Octoly data.

You might also want to read: For YouTube Stars, Influencers: More Risk of Hacks after Octoly Breach

The discovery, he said, was the result of knowing where to look – at scale. It also boils down to continued lax behavior on the part of customers of Amazon’s S3 cloud storage service – in particular: a setting called Enable Global Authenticated Users, that permits anyone with an AWS account to see what you’ve got in your S3 storage bucket. We also talk about the difficulty Vickery had alerting the firm about its security slip up and what its discovery might mean for those affected.

Google Plays HTTP Hardball

There will be big changes to the web come July. That’s when Google has said it will start playing hardball with websites that haven’t made the transition to secure, encrypted HTTP, otherwise known as HTTPS. Though its been in use by major web sites for years, millions of others are still not standard on HTTPS and could be in for a rude awakening, says Digicert Executive Vice President of Product Jeremy Rowley. In addition to marking the site as “insecure” in the Chrome URL bar, Google and other search engines might look sideways at content hosted on HTTP only sites, lowering their search result rating.

In this conversation, we talked about what firms that might have put off the HTTPS transition need to do to get ready and what awaits them if they don’t.

(*) Clarification: an earlier version of this story indicated that bank account information as well as passwords were included in the leak. The story has been updated to clarify that the information leaked by Octoly included information on  Paypal accounts and that the leaked passwords had been hashed (or encrypted).  PFR Feb 13, 2018.

Spread the word!