CyberWire Daily - Daily: LinkedIn may have been breached. Malicious apps, a new Skimmer, and honor among thieves.
Episode Date: May 18, 2016In today's podcast we discuss a breaking story about what's potentially a very large breach at LinkedIn. Banks' interactions with SWIFT (not SWIFT itself, necessarily) concern observers. Malware and s...careware appear in the Play Store. China interrogates Apple, Cisco, and Microsoft about security. We hear about ways in which participants in black markets evolve to function more like legitimate enterprises. University of Maryland professor Jonathan Katz unlocks the secrets of cracking ransomware, and Zimperium's John Michelsen says it's time to be proactive with the defense of our mobile devices. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
In a developing story, LinkedIn may have been breached.
More information is out on banks' interactions with Swift.
A banking trojan finds its way into the Play Store.
ATM malware performs the functions of a skimmer.
Gray hats turn ransomware vigilantes.
China quietly interrogates US IT companies on security.
And while even cyber gangs have HR departments, you know what?
There's still no honor among thieves.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, May 18, 2016.
In a developing story, LinkedIn has reportedly been hacked. Account records for some 167 million
users are said to be for sale on the black market site The Real Deal. About 117 million accounts
hashed passwords are among the data being hawked.
Some observers have reached the preliminary conclusion that the breach is real, the data
legitimate. The crook selling the information is asking for 5 bitcoin, about 2200 US dollars,
which suggests how rapidly data is being commodified in the black market.
We'll be watching this incident as the story develops.
in the black market. We'll be watching this incident as the story develops.
Post-mortems on the Bangladesh bank's cyber theft trigger concerns over the integrity of SWIFT transaction records. Although SWIFT wasn't directly compromised, some banks'
interactions with the system apparently were. Compromise of SWIFT interactions would be
troubling, and not only for the potential of theft. The U.S. government, for example,
uses SWIFT transaction data to monitor financial systems for ill potential of theft. The U.S. government, for example, uses swift transaction data
to monitor financial systems for illicit funds transfers.
Should that data become unreliable,
that eventually could have significant ramifications for intelligence and law enforcement.
Users are reminded again of the need for caution in the apps they download.
Another malicious app has found its way into the Google Play Store.
Blackjack Free would appear to be a gaming app,
but in fact it's simply a vector for a variant of the Ace Card banking Trojan.
Another problematic app is a flashlight add-on,
that is, an app that lets you use your device as a literal flashlight for illumination.
Many phones come with legitimate flashlight apps pre-installed.
Those that don't, however, are at risk if they try to add this feature to their device.
According to Trend Micro, Super Bright LED Flashlight serves up advertising scareware,
which falsely purports to be from Google, that tells users their device is infected with malware
and offers to sell them a variety of antivirus products.
Our advice? Get an actual flashlight. Our stringers
pick up two or three of them at every conference they attend. Kaspersky has discovered a new
variant of ATM malware, essentially a software alternative to the hardware skimmers mules insert
into gas pump payment stations. Kaspersky gives the malware the somewhat obvious name Skimmer
and says that it can dispense money, collect and then print paycard and account details, and eventually delete itself.
Skimmer uses the commercial Thermida packer to help keep itself hidden.
Ransomware seems to attract cyber-vigilantes of various stripes.
These range from the obvious White Hats who develop decryption tools and make them available to the victims, to the gray hats who directly interfere with ransomware transmission.
F-Secure has published a case study of one such action,
the substitution of a public service announcement warning against phishing
for the malicious Lockheed Payload the criminals had intended to distribute.
The long-familiar Microsoft tech support scam, no association of course with Microsoft, is perhaps second in longevity only to the Nigerian banking scam, but it's now showing a new wrinkle.
Malwarebytes has found a Windows locker that displays during booting and that temporarily locks a user's system.
The screen displays a plausible-looking dialog box that tells users they have an invalid product key and gives them a support number to call. Once they call, of course, the victims are tricked into giving up sensitive data.
As we've reported recently, the FTC and FCC have taken an increasing interest in how mobile
service providers and device manufacturers are providing timely updates. John Michelson
is chief product officer at Zimperium. The reality is the mobile platforms
are fantastic, right? They're doing amazing things and they're growing. And the problem is
that the rate of CVEs or vulnerabilities that are disclosed is still on the upswing. It's still
going higher. So if you look at a stable platform like Linux, it peaked many, many years ago in terms of disclosures of vulnerability.
And it's now quite rare to see a very significant vulnerability disclosed in Linux, for example.
But in both Google and Apple's platforms, it's quite common to see high severity CVEs discovered.
Every few years, we see mobile devices that are radically improved in their capabilities,
the number of radios in them, the things they can do, and of course, wearables after that,
and IoT after that. So these platforms are certainly still on the expanding side,
and because of that, we're not going to see a slowdown in CVEs for quite some time.
So, faced with ever-evolving platforms and threats,
what's the best strategy to protect our mobile devices? Michelson has some practical advice.
We all need to recognize that the least we could do is to make sure we're running the most current
versions of the operating systems that are on our devices, and that we're using devices that are
well-supported. You know, some manufacturers are slower to patch their devices than others,
and some telcos are slower, depending on where you are in the world, slower to patch their devices.
But we need to also come to terms with a reality here.
The reality is when a vulnerability is discovered, that doesn't mean it was just invented.
It doesn't mean it didn't exist before the discovery.
When we identify in the security business, here is a zero-day discovery of some new exploit.
By, on average, it's been in the world for 200 days already.
So, in fact, we've been vulnerable to this new disclosure or discovery for at least 200 days already.
So, certainly, patching is good, but patching itself
is not sufficient. For those customers, especially enterprises that trust their mobile devices,
or that need to trust the mobile devices, they have sensitive assets on them, they have access
to sensitive data, you really should think about on-device detection of these kinds of exploits
so that you aren't always late, because the disclosure and the
discovery is, as I say, hundreds of days after the thing has already been in the wild.
That's John Michelson from Zimperium.
Chinese authorities are querying U.S. IT companies about security matters.
This is being done quietly in face-to-face interviews.
The companies who've been summoned include Apple,
Cisco, and Microsoft. Criminal markets have for some time been evolving into shadow versions of
legitimate markets. According to an HPE report on the state of the black market, illicit enterprises
now have most of the familiar trappings of business. They've acquired FAQs, help desks,
customer relations people, quality assurance, even HR and recruiting. They've acquired FAQs, help desks, customer relations people, quality assurance,
even HR and recruiting. They're also adopting the language of the boardroom, which one might hope
will impede their rate of technology advance. After all, if CISOs are to be believed, boards
often don't get it. And if boards are to be believed, CISOs struggle to discuss risk in
business language. Maybe the cyber crime lords will find themselves
grappling with the same failures to communicate. We can hope, anyway. And finally, there's no honor
among thieves, is there? Because not only do cyber gangs have management challenges, they've also got,
well, other cyber gangs. The criminal forum Nulled.io, a popular bazaar for stolen information,
has itself been robbed.
Various crooks have made off with data without paying for it.
If they have HR departments, we're pretty sure the outraged gangs have got collection agencies, too.
We hope the good guys get there first.
Like so worried about my sister.
You're engaged. You cannot marry a murderer. I was sick, but I am healed. We'll be right back. I'm doing these days is who shit their pants. Killer message to you yesterday. This is so dangerous. I got to get out of this. Based on a true story. New season premieres Monday at 9 Eastern and Pacific. Only on W. Stream on Stack TV. Do you know the status of your compliance
controls right now? Like right now. We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland.
Jonathan, ransomware is a recurring theme on our show. It seems like there's always new ransomware tools.
And one of the things that ransomware relies on is encryption.
What kind of encryption schemes are we usually seeing in ransomware?
These ransomware, they're actually quite vicious.
And what they do is they turn cryptography on its head and they use it against the honest part that they're attacking.
And what they're typically doing is actually using public key cryptography, public key encryption. And they're generating, the ransomware is generating a random key, encrypting the contents
of the user's hard drive using that key, and then encrypting that key using a public key
encryption scheme with respect to a public key that the creator of the ransomware, for
which they know the corresponding secret key.
So what this allows is that if the honest user is willing to pay some ransom to the
creator of the ransomware, then the person who created the ransomware is actually able
to decrypt and allow the user to decrypt the contents of their hard drive.
Now, we've seen that there's been some success with folks developing decryption tools for
ransomware.
Yeah, that's right.
And it's really interesting there because what they're basically relying on
is the difficulty of getting implementations of public-key cryptography right.
And so if the ransomware does not implement the public-key encryption correctly,
then researchers can potentially crack it.
And so in a lot of these cases, what happens is that the random number generation
or the random numbers that are used to either encrypt the user's hard drive or to do the public key encryption itself is actually using poor quality randomness.
And that basically gives the good guys a toehold with which they can actually decrypt the user's hard drive without having to pay the ransom at all. So it's really interesting as a demonstration of, on the one hand,
how the bad guys are trying to use encryption for their own purposes,
but because they can't or they're unable to implement it correctly,
it actually backfires on them and allows people to recover their data.
Yeah, it's a good thing for us that none of these bad guys have you as their professor, right?
That's right. It's going to be a little dangerous when they start taking crypto classes
and learning how to implement it correctly.
I guess it just serves as a warning for everybody
about how difficult the topic really is.
All right.
Jonathan Katz, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.