CyberWire Daily - Daily: US-CERT warns of SAP issues. Business disruption big criminal business. A talk with IBM about Watson.
Episode Date: May 12, 2016In today's podcast we discuss a warning from US-CERT and Onapsis against some old but active SAP vulnerabilities. Pawn Storm is back, and active against German political targets. DDoS-for-hire is prov...ing lucrative, as is ransomware. Joe Carrigan from Johns Hopkins University Information Security Institute explains what you should do when you get suspicious-looking email. IBM speaks with us about their cyber security plans for their Watson AI. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Onapsis and U.S. CERT warn that some old SAP vulnerabilities are back to bite you.
Pondstorm is also back, and it's interested in Germany's CDU.
As stolen data drops in black market value, criminals turn to business disruption.
We hear advice on what you should do with dodgy looking email and we have a talk with
IBM as it sends Watson off to college.
They sure grow up fast, don't they?
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, May 12, 2016.
U.S. CERT warned yesterday that enterprises may have exposed themselves to attack by the way they've configured their SAP business applications.
Onapsis, which did the research that led to the warning, found that at least 36 enterprises are vulnerable to exploitation of a bug discovered and patched back in 2010,
but it was up to organizations to enable the security upgrade in their SAP implementation.
US CERT says the problem arises from abuse of the invoker servlet,
a built-in functionality in SAP NetWeaver application server Java systems.
Out-of-date or misconfigured SAP instances should be checked and fixed.
Onapsis had noticed common similarities in its scans of customer systems,
and further investigation revealed that old indicators of compromise, quote,
had been quietly sitting in the public domain for several years at a digital forum registered in
China, end quote. The company explicitly says it has no reason to conclude that there's a state-sponsored
or otherwise organized campaign to exploit the vulnerabilities, but it does call what it's found
so far the tip of the iceberg. So SAP users should look to their systems as we stand by for more of
that iceberg. Pondstorm is back, out and about, and as vigorous as ever. It's probing critics of the
Russian government. According to Trend Micro, Pondstorm's current interest is Germany's Christian Democratic Union,
the political party of Chancellor Merkel. Proofpoint says Lockheed ransomware is evolving.
Not only is it being widely distributed by dry decks, but researchers are observing some new
behavior, including increasingly convoluted JavaScript obfuscation, additional junk files
to help evade detection, mangled content-type headers to help evade detection, and the use
of RAR instead of zip compression of JavaScript.
These collectively make Locky harder to detect.
The ransomware is also now using an intermediate loader named RockLoader, which waits until
it replaces itself with Locky proper.
loader named RockLoader, which waits until it replaces itself with Locky proper.
IBM has published a look at DogSpectus, the Android ransomware discovered and described by Bluecoat. DogSpectus represents a disturbing new approach to ransomware coding in that it
requires minimal user interaction to achieve infection. It downloads automatically when a
user visits a malicious website. Researchers have found that devices running Android versions 4.0.3 through 4.4.4 can be infected. It's worth noting, however,
what IBM calls good news. DogSpectus doesn't encrypt data. It merely locks the victim device.
Thus, it may be possible to access and copy data saved in both internal memory and attached storage, and then remove the infection with a factory reset.
Dog spectus aside, email remains a common malware infection vector.
We spoke with Johns Hopkins University's Joe Kerrigan about what to do when you get a suspicious email.
We'll hear from him after the break.
Business disruption has clearly become a major cybercriminal profit center.
Specialized hackers, stressors as they're sometimes called,
offer booter services that function effectively as DDoS as a service.
And there's a market for their services too.
They're said to easily pull in $300 to $500 a day.
Many of them tell themselves, and presumably others, that they're really pen testers,
not really hoods, and so on.
But few observers are willing to
take them at their self-estimation. We note that Lizard Squad was an early entrant into this
criminal market. The other prominent form of business disruption is, of course, ransomware.
Palo Alto Networks describes how cyber extortion, while requiring some technical sophistication,
can be both a relatively low-cost and highly targeted
form of crime. Market forces are playing a role in this criminal cultural shift. As stolen data
becomes increasingly commodified, activity shifts from earlier capers like carding to higher payoff
exploits involving extortion. These days, when we mention artificial intelligence, you might think
of Siri on your iPhone or Cortana on Android.
Having our spoken questions answered by computers is fairly routine these days.
But just a few years ago, back in 2013, the notion that a computer could compete and win against top human players on the TV game show Jeopardy was mind-blowing.
That machine was IBM's Watson.
Watson, who is Franz Liszt? You are right. What is violin? Good. Who is the church lady? That machine was IBM's Watson.
Caleb Barlow is vice president for security with IBM. Since winning the Jeopardy competition, Watson, we've been looking at cognitive computing in a variety of ways. Everything from what recipe might you make based on the ingredients in your fridge to, you know,
harder world-changing challenges like trying to solve cancer.
The advantage of a system like Watson, according to IBM,
is its ability to interpret data that's traditionally been hard for computers to
handle. Most of the data that we apply today in the world of cybersecurity is in the form of
structured data, things that are machine readable. But about 80% of the data that we really want to
get access to is in an unstructured form. It's blogs, wikis, videos, the latest research report,
or the transcript from the latest seminar on security.
Watson may be an ace when it comes to answering questions on Jeopardy,
but when it comes to cybersecurity, it's still got a lot to learn.
Much like human learning, it has to learn the language of security. It needs to learn what's
an attack, what's a target, what's a victim? What is malware? What is ransomware?
I was talking with one of our engineers, and Plusson thought ransomware was a city.
And while I'm not really completely sure, I'm sure there must be a city somewhere called Ransom. So obviously it's a little bit humorous, but also much like human learning, it learns by making mistakes.
So we had to go back and say, no, Watson, this is in fact not a location.
It is actually an attack methodology.
And, you know, it's that type of grading process along with the annotation that helps the system actually learn.
IBM is partnering with colleges and universities to get Watson up to speed.
Ultimately, they hope it helps provide enhanced protection against cyber threats. Your average enterprise receives over 200,000 security events every single day. Now,
most of those are false positives. We're looking for that needle in the stack of needles,
and it becomes very difficult for human beings to find that on their own. They need some help,
and that's what Watson can do. He can help to weed out those false
positives, but also identify that needle, if you will, not in a haystack, but in a stack of needles.
That's Caleb Barlow from IBM. By the way, I always had a soft spot for Hal from 2001,
A Space Odyssey. Hal, care to say a few words? I'm sorry, Dave. I'm afraid I can't do that.
And yet, you just did. right now. We know that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Joining me once again is Joe Kerrigan from the Johns Hopkins University Information Security Institute.
Joe, you recently had an email that came with some links that you thought were suspicious.
Why don't you tell us that story?
That's right.
I got an email.
The first thing that tipped me off was the grammar in the email wasn't well done.
And then there was a link to a domain I had never seen.
But it talked about tolls.
Well done.
And then there was a link to a domain I had never seen, but it talked about tolls.
And I had just incurred a massive amount of tolls going up to New York and coming back about a week ago.
These are traffic tolls. Traffic tolls, right, like the E-ZPass system.
But actually, it was referencing a trip back in February that I took, but I wasn't entirely sure.
This was a legitimate email.
entirely sure this was a legitimate email. So I have on my machine something called VMware Workstation, which allows me to fire up virtual machines. And I've talked about virtual machines
here before. They're essentially machines that run as virtualized machines, and they only exist
in software on your host machine, which would be your hardware that you have.
So it's kind of a self-contained way of an isolated machine that's only running in software on your machine. Well, it's only running in
software on your machine, but it's not truly isolated. It has some interfaces to the outside
world. But if I change something on a virtual hard drive, I don't change something on my real
actual physical hard drive. I see. VirtualBox, which is a free product, and VMware workstation that I use, both have the capability to take these things called snapshots, which is a state of the machine
as it is right now. So I go ahead and I take a snapshot. Now if I'm going to execute a link
that's malicious, I can just go back to that snapshot and it's like I never executed the link.
And I pasted the link into a browser in my virtual machine and executed the link.
And it turned out actually to be some tolls from a trip I took in February.
And they're just now sending me the email that has the invoice for them.
So it was a legitimate link.
It was.
But better safe than sorry.
All right.
Virtual machines can be your friend.
Joe Kerrigan, thanks for joining us.
My pleasure.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.