Blog
(ISC)2 Costa Rica Chapter: Sharing reflections and lessons learned from Maze Team attack
The original article by Diego Delfino can be found at https://delfino.cr/2020/05/caso-maze-bcr-expertos-comparten-reflexiones-lecciones-y-sugerencias
Óscar Monge España , founding member of (ISC)² chapter Costa Rica has 16 years of experience in multiple fields of cybersecurity, such as incident response, threat intelligence, risk management and vulnerability management at the corporate level and in the cloud methodology Agile and ITIL, information security expert and cloud security professional. His work in the field led him to obtain the award as the best security participant for America (America’s ISLA) awarded by the renowned organization ISC2 in 2017.
He currently works for RaboBank in The Netherlands as a cybersecurity solutions Architect for the cyber defense center in charge of the implementation of the cybersecurity strategy, standardization of processes and implementation of practices aligned to the industry. In his spare time, he is an instructor for ISC2 of his CISSP and CCSP certifications.
Kenneth González , founding member of (ISC)² chapter Costa Rica, is currently a security testing consultant (pentester) and leader of the X-Force Red team for Costa Rica, IBM’s elite offensive security team. He has several cybersecurity blog posts and a book related to monitoring tools and methodologies that use cyber threat detection technologies. He is also an instructor of cyber security classes including hacking offensive security ethics and cybersecurity in general. With 12 years of experience in products and services related to cybersecurity threats, cybersecurity defense tactics and offensive security Kenneth has certifications such as; OSCP, eCPPTv2, CISSP, PENTEST+, CISM, CISA, CEH, CSX, CPTE, MCSA, MCITP, MCTS, CySA+ Project +, Sec+, ITILv3, COBIT4.1
Monserrat Guitart, CIPP/E, Regional Director of Intellectual Property and Technology at Dentons Muñoz. In 2011 Monserrat joined the software alliance with BSA as legal advisor for the Latin American anti-piracy program in Washington D.C. and in 2014 he joined the global compliance team where, among others, he analyzed the impact of data protection legislation on the program in Brazil, Mexico, india, Thailand, Poland and Russia.
In 2016 she joined Dentos Muñoz as director of the Costa Rica office and since 2018 has been in charge of the entire Central American region. Since 2017 Monserrat has been certified as IAPP – International Association of Privacy Professionals as Certified Information Privacy Professional/Europe – CIPP/e.
In December 2018, it was undermined by the Financial Times for her contribution to the innovation in the legal profession through the implementation of the Dentons Direct IP platform, an online solution that gives Dentons clients access to a personalized site that helps structuring large projects such as privacy impact assessments (PIA) carried out in large companies.
Some of the publications regarding protection of personal data can be found on Data Guidance https://platform.dataguidance.com/notes/costa-rica-employee-monitoring#column-6 and ItechLaw https://www.itechlaw.org/survey-category/latin -america-privacy-and-data-protection-survey-2018 .
- What is (ISC)²?
It is the largest and most recognized non-profit association of information security specialists worldwide, present in more than 135 countries and brings together more than 60,000 professionals.
- There are different versions of different groups of security experts (most of whom have requested anonymity) about the scope of the two leaks that Mase has made. The official version, endorsed by the leader of the SUGEF, Bernardo Alfaro, ensures that the information that was leaked is not enough to perpetrate scams, since in principle it would be limited to the entire numbering of the cards.
He even said that the leak did not include the CCV. Specifically, can you confirm that the entire numbering on the card is not sufficient to perpetrate scams? Can you confirm that this was the only data that leaked? Various sources have indicated the opposite, as they say they have confirmed cases where track 2 of the card, or the CCV was included, etc.
The information published in a transaction log that contains the card number and track2, the latter contains the information included in the magnetic stripe, which could enable the cards to be printed and “cloned”, however the risk is not so high for the following:
- For Internet purchases, the vast majority of sites require cvv3, known as a security code and which is usually printed on the back of the card, which was not published.
- It is important to clarify that cvv2 is a value that is generated using a cryptographic key stored in security equipment known as HSMs and the possibility of generating these values from the card number is practically impossible. In addition, these values should not be stored by banks, the value is calculated every time a transaction is made, it is used only to validate the card used.
- Although it is true, some businesses could carry out transactions without the security code, they are the least and in theory, for not using the security mechanisms, in the event of a fraudulent transaction these businesses should be held responsible for the charges.
- Cloning cards becomes unprofitable for criminals because they do not have the required PIN to withdraw money from ATMs and few countries and businesses continue to use the magnetic blanket. Precisely most banks have been replacing this technology for several years.
- Costa Rican banking association, today continues to speak of information allegedly violated, do you agree with this official speech? Can we continue talking about alleged violation? Recently the authorities of the bank and the SUGEF recognized that the information is valid, with which we can say that if it was breached, what is not clear is how it was breached, if it was due to an information leak or if there was an intrusion.
This should be clarified by both the bank and the OIJ in their investigation, there is a possibility of error or even only on the part of an official. It should also be borne in mind that these cyber criminal groups work with extortion schemes, this means that due to the nature of their business, they can alter the veracity in terms of how the information is held, for example attacks on third parties with Old card transaction databases that do not necessarily belong to a financial institution.
- How can you leak or exfiltrate the information of an organization? In this case, it has been argued that it was not the BCR systems themselves that were violated. And although that would be a good sign, the main point of this conversation was summed up very well by Susana Soto when she said “there is a leak of information that should not be anywhere else than in the bank’s systems. Point”. We know that the investigations are just beginning, but what versions are handled of what could have happened? And how can it be avoided?
It is important to indicate that there is no absolute security, the possibility that the systems have been violated exist, very well planned and executed attacks could violate practically any company, companies receive hundreds of attacks daily and of course there will always be the human factor, an error, an official who exported the information on a hard disk an external storage medium or even the possibility that it was malicious, either an employee a resentful or even paid by criminal networks.
There are multiple attack factors, the most common is the use of malware and social engineering, with which they achieve that internal users download files or access sites where they are infected with the malware that then does its job, in fact the MAZE malware that is A RANSOMWARE type (encrypts information and asks for ransom) works that way, attacks users and through deception techniques spreads across the network, performing checks on other computers and servers.
Furthermore, this malicious software MAZE (which has been active since May 2019 according to international investigations) has been used in multiple attacks on financial “retail” companies and other sectors in other parts of the world, so its attack methodology and behavior are already known.
Avoiding it requires a series of controls that are defined in standards such as ISO27001, the NIST Framework (security of the National Institute of Standard and Technology) and in the particular case of credit and debit cards in the PCI / DSS.
- What about security controls? Are the banks safe or not?
Banks are the companies that have invested the most in security and for obvious reasons, however the subject is really complex, the vectors or routes of attack are many, and the constant evolution of technology requires constant updating. There is no absolute security and we could talk about security levels and a company will be more, or less secure depending on the level of compliance with international standards and good practices that it applies.
In the case of banks in Costa Rica, there is even a “maturity model” issued by the chamber of banks where the appropriate controls to implement are specified, which was reviewed and endorsed by the ISC2 Costa Rica chapter. Now, this is a continuous and cyclical integral process, it is not just about buying security systems or carrying out a series of consultancy processes, to validate possible security breaches or improvements, it is a subject that is applied day by day and it involves the entire organization, Undoubtedly, it must start with the support and involvement of the highest levels and cover the entire organization.
- Are the means of security too expensive?
The cost varies a lot, there are very expensive tools, but there are also free tools.
For example, high-profile companies provide services and systems that are quite expensive but many of them have free versions of these products without any payment.
There are also free and easily accessible threat intelligence services so that cybersecurity specialists can implement early detention systems in companies without even being attacked. This facilitates the process of detecting and controlling threats in the event that something happens.
One of the most important issues at the point of the cost of cybersecurity is that the community of specialists and experts shares a lot of information from analysis of attacks in other latitudes.
We could make a similarity in terms of the airline industry, where a failure in an airplane emphasizes that the entire industry improves, it is the same in cybersecurity, a new attack makes the industry share information and improve defense and detection systems. But again it is a continuous process that does not end, if it does not mature over time.
- Are there any security standards or norms to follow to guarantee the security of companies?
Yes, of course, depending on the industry, there are norms or standards, for example, NIST (National Institute of Standard and Technology) has different reference frameworks, one of the broadest in the “cybersecurity framework”, another of the most widely used at the international level is ISO 27001 known in the industry as the gold standard in information security and particularly in the case of credit and debit cards, compliance with the PCI/DSS standard, among many others.
- In the computer security union there is a consensus that undoubtedly seems to be the most appropriate; The recommendation is not to type any type of information on sites whose security is not known to us. We are all clear that they have directly or indirectly alluded to the platform developed by ATTI Cyber, a local cybersecurity company. Alfaro himself said (without directly referring to the company) “it is a trap to capture your data through malware and cause you harm”. The question is concrete because (ISC)² is authority on the matter. Can you confirm that this site was indeed doing this? Additionally: what should we understand when the SUGEF hierarch says that 16 card numbers are not enough to perpetrate a scam but 10 are?
We verified the ATTI cyber site and despite the fact that this particular one did not capture additional information, it indirectly, promoted users to use unofficial means and, by the way, possibly without intention, empowered criminal groups to publish their own platforms where information was captured, which was not published and with which it was possible to commit fraud.
Platforms of this type, although they may be useful in your idea, represent a risk since the information processed or captured by these sites (whether complete or not) may present a new risk of exposure, since being a private company does not is aware of where this data is processed, where it is stored and also if there is metadata that is stored and may represent a high risk if it is exposed to the public, for example IP where the query is made, browser information, cookies, etc.
Regarding Mr. Alfaro’s statement, we are not clear about the statement, except that indeed the card number without the security code is not as valuable, although if there could be some level of fraud or some type of scam, especially by phone or by e-mail.
- Which leads us to a very interesting question: what legal implications can it have in affirming that a company has been violated, based on published information, even if it is valid? That is to say: shouldn’t ATTI Cyber confirm what the bank itself later accepted?
Security breaches happen every day, every day the company around the world are exposed attacks and many of them are mitigated (the latest statistic by the University of Maryland indicates that there is a computer attack once every 39 seconds) this represents A major challenge for all specialists and professionals in cybersecurity, there are now investigative processes that in many cases last months and even years. It is not normal for a group of cyber criminals to indicate that they successfully executed an attack and validate immediately.
There are in the industry concepts of IOC’s (indicators of commitment) that allow researchers and also cybersecurity analysts to validate if the organization is experiencing any type of attack, this data is normally confidential and is treated internally by most of the companies as they can expose important and confidential information.
Forensic investigators and incident response processes are key to whether or not a company was attacked. These processes are executed on internal systems of the companies, unless the company ATTI was hired by the bank to validate these issues, it is not correct to indicate that the company exists, was violated or “hacked” so categorically.
Regarding the legal implications, as it is a subject with possible criminal implications and not having specialists in the subject in the group, we prefer not to refer.
- The ethical Costa Rican company claims to have been legally advised and to have foreseen the legal and technical implications of its tool. Also that the site did not capture improper information and that it did not have malware, however the gesture (this interviewer in particular part of the good will) of wanting to help the public was interpreted by his colleagues as hasty, negligent and dangerous.
Position that I understand (ISC)² shares. Which brings us to the query: what legal implications does the use of stolen information have, such as that used to validate the compromised of the cards?
It is important to clarify that our criteria in a personal capacity and as a member of the “(ISC)² Costa Rica chapter” and indeed the members of the group share that the validation tool increased the risk for users.
Regarding the issue of the legal implications of using stolen and published information, which we consider to be very different from making public information, we have requested the collaboration of the lawyer specialized in the subject, Monserrat Guitart, who indicates the following:
“In order to process personal data, including credit card information, a legitimate basis is always required, which in this case is the consent of the bank’s client. Thus, only the bank and within the limits set by the client himself can use this information. The fact that the database is disclosed by third parties or that it is now presumably available on the Internet, for whatever reason, does not provide that legitimate basis or the right to use the database in any way.
In the networks, the ‘Rolling Stone’ effect occurs when something begins to roll, it is very difficult to stop it, so it is recommended as users to avoid disclosing something that should not have been there in the first place. This is very palpable with photos or videos that are filtered without the consent of the participants, we can do our part and not share to somehow preserve the privacy of those involved.”
- Are we talking then about a legal vacuum that leaves people in a situation of defenselessness when the responsible authority lets the days go by without referring to the issue and the information is already in public use? I ask this a genuine concern. Why? Because those people who had friends with the due knowledge in the matter in a matter of hours were able to confirm (“off the record”) if their card had been compromised, while the rest of the population did not.
The difference is that ATTI Cyber made its public service, the rest of the experts operated “from underground”, but they did the same: process the information and help people confirm if their card appeared. I myself was lucky to have this benefit but … shouldn’t I? Shouldn’t my friends help me? because then, in addition to the “legal vacuum” for which I ask them, we are faced with an ethical dilemma. Do you consider that what ATTI Cyber did is wrong but not what those who did the same without making their work public?
Regarding the issue of the legal vacuum and the eventual responsibility of companies to report an incident to those affected, we indicate the response given by Mrs. Monserrat Guitart:
“The first thing to clarify is that the information is not public, but that it was revealed by a potential illegal act, despite the technological measures adopted. It is there because there was a deliberate attack on the information protection systems.
What would correspond is not to make use of these data, since no one other than the person in charge of the database was authorized to do so, who must also carry out a risk analysis and establish mitigation measures.
Not everything that is on the Internet is public or freely accessible, because it is available and this applies not only to movies and music, but also to databases”.
The truth of the case is that in terms of security there are things that seem good, in this case in particular the verification of the cards, but undoubtedly it was hasty and increased the risk of the users, in the best case the tool should have been sent to the competent entity, in this case to the bank, so that it could decide whether or not to use it. In security, it is essential to access official sites, this eliminates situations such as those that occurred with other sites that did capture additional user data. Adding the fact that panic is generated in the population and it could and irresponsibly put a company at risk, in this case the bank of Costa Rica.
Operating clandestinely is a term that can be taken in a bad way, that is, a professional cannot go out and publish: “The BCR was“ hacked”, eventually it could indicate that there was an information leak and that it could have been to a security breach and that is under investigation, in addition to being more objective with the real risk of that information, if it is true that fraud can be committed, curiously, there does not seem to be cases of defrauded clients at least to date, on the other hand, there is a clear responsibility of the entity to respond for an eventual fraud, with which the risk is really the bank of Costa Rica and not its clients.
We consider that there are serious errors in the form of communication that magnified the incident and increased risk for users, for the company and even for the banking sector.
- Which brings us to another important query. The list of cards, as such, was already public. Is it illegal for any of us to possess it even if the person drops it to confirm that their card is compromised? Is it illegal to share it with a friend in order to help you?
As indicated the fact that an information is published, it does not make it public, beyond the legality that was explained in the previous consultation, the risks incurred are various, in those fraudulent sites, such as the page of Maze, viruses are usually placed so that curious people when accessing the site are infected, to these sites only specialized personnel must enter and using properly secured equipment, that a person downloads the information from these sites and also the sharing increases the risk and magnify the incident.
- So you would say that the best way to handle this as a client, in the future, is always to wait for the official response of the bank (whatever it is and take the time it takes) even if you are certain that the information is sensitive and vulnerable and allows the card to be compromised?
The incident definitely has to attract everyone’s attention, because it is important to have transparency and provide clear and timely communication, to prevent others from taking advantage of the situation.
The bank may have determined that the information was low risk and that it decided before reporting it to analyze the incident for current power in the most convenient way. If we consider that the bank and the authorities took a long time to refer to the case, it was not necessary to know the way in which the leak occurred, because that investigation is complex, but if it was necessary to know that the bank considered that the risk was low, that it would change the required cards at no cost and that later they would determine the cause of how the incident occurred.
- Is there a code of ethics among information security professionals in Costa Rica? Is our legislation fully shielded to deal with cases like this? Is there an entity that can audit, for example, that the Atti Cyber site was free of malware and did not capture improper information?
There are groups such as (ISC)² that do have a code of ethics, which is based on the following principles: Protect society, the common good, public trust and infrastructure.
Act honorably, honestly, fairly, responsibly and legally.
Provide a diligent and competent service. Advance and protect the profession.
This is very important because regardless of the situation, it must be handled in a professional manner, avoiding generating additional problems for the parties in general, it is not about protecting one or the other party, if not all.
Many professionals can validate the non-existence of malware on the site, if a certification is required, we consider that the entity has carried out in the OIJ’s cybercrime unit, but we assume that they do not act if there is no prior complaint.
Regarding legal shielding, like the case of security, it is an issue with many edges that can be addressed from the responsibility and procedure that the violated companies must follow, the responsibility of companies and a security specialist regarding the publication of this type of incidents and their contribution to minimize the damage of all parties and that of other actors that will be very important to validate, particularly Prodhab should analyze and rule on it.
- How is the cybersecurity issue after this attack?
The scenario should change, in a world based on technology, security is an essential element and in companies like banks where their business is based on people’s trust, the issue becomes mandatory, companies must analyze the importance that they are really giving Cybersecurity, have clarity, control and monitoring of the risks that are related to the use of technology.
Cybersecurity is not a technical issue, it is a strategic issue, because it directly impacts the operation of the business of many companies and therefore must have the importance it requires.
In the case of the banking sector, we know that there are security forums at the sector level, and instructions such as Micitt have been working on issues such as the National Cybersecurity Strategy, but it is essential to provide security areas with the empowerment and resources they require to be able to potentiate the use of technology that brings us so many benefits.
- What recommendations would you give to companies and users?
There are many recommendations, but in summary we could say the following:
To companies:
- Adopt a security standard or reference framework. Hire experienced staff, preferably certified, or try to get it certified.
- Basic controls: equipment duly “patched” and updated. Anti-malware system and Firewall properly configured, navigation filtering with restriction exclusively to work sites, blocking the use of external devices, in case you require them to use them, only use them internally, avoid storing information on users’ computers, separate and control access to and from different network segments.
- Use two-factor authentication mechanisms, especially for users with privileges or sensitive systems.
To users:
- Equipment provided by companies, use them only for work purposes.
- Do not install applications that are not required, or from sources that are not reliable.
- Never open messages, much less files received by mail from unknown or unexpected sources. Never access links received by email.
- Verify that they have a properly updated and configured anti-malware and personal firewall system.
- Do not use the access codes to labor systems in personal applications or services, those of access to banking Online must also be different and exclusive.
- Let’s go back to Mase. They have indicated that they will continue to share information. This seems to be of no concern to anyone, perhaps because the official discourse continues to be “the information that has circulated is incomplete and outdated, two or three years old, in many cases obsolete.” Even the BCR said in the nation that 70% of the “compromised” cards are already expired but did not speak of the number of cards only in percentages. The issue is that according to the data published by the researcher Bernardo Corrales, 871,766 BCR cards have been leaked so far which implies according to the bank’s own numbers about 261,529 in force so far. Are we giving due importance to this topic?
An incident story like this can change overnight, the published leak cannot be minimized, the number of cards to replace is significant and will come at a cost. as well as all the validation work of controls that must be carried out; It will be of great importance for the banking sector to determine the order of the leak and what controls were not properly applied or violated and why.
The incident still seems like it could be of low impact, but this is a never ending issue, companies like banks receive nearly 100,000 attacks a month from the Internet, this is not new and it can be said that it is usual, the big mistake could be getting used to it and assuming that nothing is going to happen to us in safety, we cannot relax.
- I am going to be very direct: I understand perfectly well that the Atti Cyber tool must be questioned and investigated, and the ethical and legal limits of its actions reviewed and widely discussed. But is it wise for the discussion to focus significantly around the ethical company tool and not around what is happening and continues to happen with Mase? There is a lot of forcefulness in the first and many gaps around the second….
The validation tool is one of the problems, which unfortunately increased the risk for users. The incident will leave the security sector with much to learn about how such an incident should really be handled and indeed the authorities should identify any gaps that exist and seek to eliminate them.
Maze is just a type of malware/attack scheme (used by groups). Just as there are hundreds of MAZE, every day there are new campaigns of attacks, new threats and new possibilities. But also, every day we work hard on both methodologies and defense systems to protect the institutions, it is a typical cat and mouse game where there is a constant fight. Another example of strong and complex attacks in recent months have been COVID-19 issues and everything to do with the pandemic.
- I return to the official speech. It has been emphasized that it is “old” information but there is no certainty of how much more Maze has given that we do not know how many more releases they will make and how far they go, they could for example have started from back to front. Is there a risk that they will have more current information and that it will be released in future leaks?
Initially Maze mentioned having close to 11 million records, which if we add the last two deliveries made of 2 and 1.9 GB coincide with this amount, we could assume that it does not have any more information, however at risk it obviously exists and we will not know until that the incident ends.
What is mandatory is to unequivocally identify the source of the leak and verify the effectiveness of existing security controls.
- Another important issue is that we are not only talking about BCR cards. There are clear card numbers of other issuers. Does this comply with PCI/DSS? Thinking that the internal security systems of the BCR were indeed able to avoid a vulnerability, could or should this be another issue of greater concern to the bank at this time?
The PCI/DSS standard suggests the use of encryption in the transport and storage of card numbers, however, it enables clear or non-encrypted use in situations duly documented by the company.
It is important to be clear that the implementation of PCI/DSS is not mandatory in Costa Rica, although obviously it should be a good practice implemented throughout the banking sector.
Definitively, the main concern for the BCR should be to validate the effectiveness of the defined security controls and, of course, identify the source of the information leak.