CyberWire Daily - Daily & Week in Review: Backdoors or legit apps? Serpents in walled gardens. Verizon's Data Breach Report.
Episode Date: April 29, 2016Today we hear about potential backdoors (or maybe PUPs). Cash-stealing malware reported in Google Play. Third-party developers leave their credentials lying around GitHub. Triumfant watches Locky morp...h—five times a day. Dale Drew from Level 3 talks about point-of-sale risks. Verizon tells us all about their Data Breach Report. The Panama Papers may soon be released in full. Investors worry about the cyber sector, but some see healthy adjustment. And US Cyber Command works to make the "L" in ISIL stand for "loser." Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. back. If you're not killing these people, then who is? That's what I want to know. Starring Kaley Cuoco and Chris Messina. The only investigating I'm doing these days is who
shit their pants. Killer messaged you yesterday? This is so dangerous. I got to get out of this.
Based on a true story. New season premieres Monday at 9 Eastern and Pacific. Only on W.
Stream on Stack TV. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K. a back door. More serpents crawling around in Google Play's walled garden? Careless developers
get their credentials booted by Slack. Triumphant looks at Locky and finds it morphs as often as
five times a day. We talk to Level 3 about point-of-sale system risk, and Verizon gives
us the skinny on their data breach report. U.S. Cyber Command seems to be putting the
loser effect onto ISIS. Investigators are spooked by the SecureWorks dead cat bounce,
and think they see venture funding drying up. But Evident.io says no,
this is a salutary correction preventing a bubble.
I'm Dave Bittner in Baltimore with your CyberWire summary and we can review for Friday, April 29,
2016. Breaking at week's end is a warning from Cisco's Talos unit,
which says that software exhibiting what Talos characterizes as
adware and spyware capabilities
is installed on around 12 million PCs worldwide.
The application Talos flagged is two-toe-four PCs, one soft per day.
Cisco's tools picked up the software as a generic Trojan. Investigation
indicated that it was installed with administrator rights on many endpoints.
Tutto for PC strongly disputes Talos' conclusions and points out that it's a long-established firm
listed on the Paris Bourse, which no one, least of all Cisco, disputes. Their business model
involves exchanging tutorials in exchange for users' Cisco, disputes. Their business model involves exchanging tutorials
in exchange for users' acceptance of advertising.
Their software, Tutto for PC says,
is designed to evade excessively aggressive ad blockers.
Cisco disagrees and sees what it calls an obvious case
for classifying one soft per day as a backdoor,
or at the very least as a potentially unwanted program.
Tutto for PC has said it's taking legal advice in the dispute.
Fish Lab's researchers say they're seeing more serpents in Google Play's walled garden.
In this case, it's cash-stealing HTML scams that are slithering through.
As criminals attend more to mobile devices, Zscaler finds some information-stealing Android
malware circulating in the wild.
It's posing as a Chrome update.
Another mobile issue may have surfaced in connection with the widely used and useful
Waze navigation app.
Researchers at the University of California, Santa Barbara, think Waze may be leaking enough
information to expose users to stalking.
Some developers building applications for the popular messaging and collaboration platform Slack
have been leaving API credentials exposed in GitHub.
This appears to be a case, multiple cases actually, of carelessness and inattention.
Detectify researchers found the problem and warned that sensitive corporate information could be compromised.
Slack moved quickly to address this third-party issue
by revoking the roughly 1,400 credentials
developers left flapping out there in the virtual breeze.
Security publication Dark Reading offers some advice for business travelers,
seven sensible steps you should take to protect yourself.
Avoid using public-use terminals.
Use a VPN client when connecting to Wi-Fi.
Keep your devices in hand while at breakfast. Avoid using public use terminals. Use a VPN client when connecting to Wi-Fi.
Keep your devices in hand while at breakfast.
Get loaner devices from IT and WIDAD.
Use them.
Don't swipe your card at sketchy ATMs, gift shops, or hotel restaurants.
Install remote wipe software. And finally, avoid using desk and lamp USB ports.
Good advice, all of it.
For some additional insight into the risks that
accompany point-of-sale systems, we spoke with Level 3 expert Dale Drew. We'll hear from him
after the break. Ransomware hasn't gone away, so do continue to back up your files. Triumphant
researchers have been taking a look at the Locky strain of ransomware, and they point out that it
morphs too quickly for signature-based detection to be of much protective worth.
In fact, as Triumphant observed Lockie, they found it shapeshifted as often as five times
a day.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.
Travel moves us.
and travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora Thank you. ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
January 24, only on Disney+. Threat Locker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me is Dale Drew.
He's the Chief Security Officer at Level 3 Communications,
one of our academic and research partners.
Dale, point-of-sale systems are certainly a popular attack target for bad guys,
and your team has been doing some research on a particularly sophisticated strain of point-of-sale malware called Poseidon.
Well, you know, this is one where I think that industry collaboration really paid off in stopping
a potentially very serious industry issue. You know, this is one where we received information
from our industry partners through Palo Alto, Unit 42, and through Cisco on some emerging malware that they had discovered called Poseidon.
We then took those signatures and we implemented them in our internet backbone and saw a very
emerging, very sophisticated set of attacks that were occurring.
So what we discovered was we discovered a very specific actor that appears to be related to organized crime
that was targeting European credit card providers and merchants with this malware.
They were compromising the company through phishing attacks.
They were depositing that malware on internal computers,
and then that malware was programmed to compromise the point of sale terminal and sniff off credit cards.
So we notified the victims that we found on the internet backbone.
We instituted an algorithm that automatically detected it and automatically blocked it on
the backbone, and we protected our internet backbone and our customers and the internet
as a whole from this very sophisticated attack.
And what's your advice for people who are running point-of-sale systems to protect themselves against this sort of thing?
You know, I'd say it's really two things.
You know, the one thing is we can't stress enough, you know, making sure that the employee enterprise desktops
do not have any visibility to the production point-of-sale
systems. In almost all of the attacks, the victim networks were very flat. Once the bad guy
compromised either a data center system or compromised a desktop, they were able to gain
access to pretty much the entire production network because there was no separation between the production network
and the employee network.
So making sure that you have contained isolation areas
so that when there is a compromise that it's isolated within that specific area
is pretty critical.
And these are lessons learned that we've learned through other compromises
like Sony as an example.
The other lesson learned, I'd say, is having access to have something that is machine learning your behavior, your network's behavior, your communications behavior, your protocol behavior, and telling you when it sees something anomalous.
So when we went to all these victims and we asked these victims, is it normal for a single employee desktop to gain access to all of the point-of-sale terminals, the answer was absolutely not.
to gain access to all of the point-of-sale terminals?
The answer was absolutely not.
Had they had a machine learning threat intelligence infrastructure
that was able to determine that that was not usual behavior,
they would have detected it the moment it occurred.
Dale Drew from Level 3 Communications, thanks for joining us.
And remember, we want to hear your questions for our academic and research partners.
You can email them to questions at thecyberwire.com.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
As we look back at the week that's now ending, we've heard considerable woofing from ISIS about
its new cyber attack capability. No one looking at the caliphate, still less the newly formed
cyber army of sympathizers, the United Cyber Caliphate, takes its technical claims particularly
seriously. The hacktivists striking for jihad seem capable of little beyond skid-level script
kiddie vandalism of poorly protected targets of opportunity. Propaganda and inspiration,
however, are quite a different matter, and here ISIS has shown considerable ability to get its message out online.
The United Cyber Caliphate made a familiar and unwelcome move as the week began,
posting a hit list of murder targets for the use of ISIS sympathizers in the Dar el-Harb.
Most of those on the list are in New York,
and the FBI is taking appropriately serious steps to investigate.
The increasingly overt U.S.
cyber campaign against ISIS seems to be having an effect. In some respects, it's targeting,
in others jamming, and in others spoofing. In still other respects, the U.S. campaign offers
a kind of paranoia as a service, inducing potential ISIS recruits to think that everything
is witnessed, everything known. The campaign may be hitting ISIS at its weakest point.
After all, if you say you're a caliphate,
you've got to show the kind of worldly success that should flow from divine sanction.
But if you look like a loser, then you've lost.
So good hunting, Cyber Command.
Verizon's industry-standard data breach report appeared this week,
moving the Harvard Business Review to the belated realization that data breaches aren't just the IT department's concern anymore.
We sat down with Dave Ostertag, Global Investigations Manager for Verizon's RISC team.
We see very commonly the same things over and over again.
And the first in-depth pattern is compromising, to repurpose it for their malicious use.
You know, once they get access into a server, use it as a command and control point,
a data aggregator, or an exfiltration point.
The next is a continuation of a trend of the increase in the use of phishing.
You know, that weak link there with people clearly showing that someone will always open the email, click on the link, or open the attachment.
We consistently see, even though we still know that just like phishing is bad, we know that single-factor access into our networks are bad.
We continue to see use of single-factor access into the network.
And then the other use of phishing in these attacks involves spear phishing. They'll
do their research in footprinting and social engineering and identify that individual,
that executive, that manager, that team member that would have access to the data that they're
looking for, whether it be a project, a set of statistics, some intellectual property,
or whatever it might be. The phishing attack, in this case, hits the end user system
that might contain the very information they're looking for.
And then malware.
Malware is absolutely a key intersection in the playbook that the bad guys use, where
we used to see the bad guys manually go into a network and RDP into systems and manually
conduct all of the things involved in the
data breach, you know, stealing credentials and using those credentials to explore the
network to find data, to aggregate the data and exfiltrate the data.
You know, now the malware does all of that for them.
Less chance of detection, you know, greater spread across the network.
It ends up looking more like legitimate business,
and the malware is a key to that, very common.
And then finally is credentials.
By far, the one tool that the bad guys use
that make it more difficult to detect
and more successful in execution
is the use of stolen credentials.
For the initial attack factor,
using single-factor authentication,
like I talked about.
And then also, once you get into the network, the bad guy uses elevated-level privileged credentials
to transverse the network and gain access to those servers and systems that have the data they're looking for.
Despite the variety of attack vectors, the team at Verizon did notice a
specific trend. When we look across industry verticals and look for patterns or trends or
commonalities there, one clear trend that we see in the 2016 DBI is the use of web app attacks
across all verticals. That's one statistic that comes through very clearly this year.
We do have some very clear patterns within specific industries, however.
And when we, the writers of the data breach report,
are asked what we want readers to use the report for,
it's the manager security program from a risk-based perspective,
and that risk being the likelihood of data being compromised. While some of the attacks have grown more sophisticated,
Ostertag reminds us not to forget the importance of basic cyber hygiene.
When we get down to it, when we look at the methodologies the bad guys use,
they're really basic. You know, they're not Star Trek, they're not James Bond, they're not advanced.
You know, it's simple techniques of stealing credentials, of using vulnerabilities that, in a lot of cases, are easily patched,
and using phishing emails and things like that. So practicing good basic security is very important.
One of the key takeaways from the Verizon report, according to Ostertag,
is not to underestimate the human factor when it comes to securing your networks. I think what we clearly see in this year's report is one of the weak
links are people. You know, over and over again, people seem to be the weak link, whether it be
through phishing, social engineering, you know, not practicing good protection, going to inappropriate
websites, inappropriate email content, use of unapproved devices.
People continuously seem to be one of the big weak links.
So I think one of the big, big key points that we see in this year's report is the individual,
is the person that's being a weak link in our security chain.
That's Dave Ostertag, Global Investigations Manager from Verizon's Risk Team.
Their 2016 data breach investigations report is on their website, verizonenterprise.com.
It's been a mixed week for the security industry.
Last week, SecureWorks' initial public offering has been weighed, measured,
and found, at least in terms of initial pop, wanting.
NASDAQ put a positive spin on the IPO's disappointing performance and says, hey,
at least they've got the offering out there, which is more than a lot of tech companies can say.
And that's true enough. But analysts point out that investors are now looking for profit,
or at least cash flow, behind the story they're told by Story Stocks.
Some alarmist stories have appeared that suggest the days of venture capital's interest in cybersecurity are over.
But we heard a different take on the market from Tim Prendergast, co-founder and CEO of Evident.io,
a startup that this week raised $15.7 million in Series B funding.
He expected the tightening of venture investment,
in Series B funding.
He expected the tightening of venture investment,
and he thinks it augurs a culling of security startups through acquisition or simple disappearance
as the market adjusts.
Quote,
Tightening the belt and letting some air out of a market
that was at risk of attaining bubble status
is not only good for the consumers of security solutions,
but also for the industry itself,
as it forces established and emerging players
to continue to be innovative and forward-thinking.
This really could not have come at a better time in the evolution of our industry."
Looking at public companies, BlackBerry seems to be enjoying some success repositioning itself as a cybersecurity play.
Symantec is well in progress with a similar strategic repositioning,
but disappointing guidance this week led the company's board to make a change in CEO.
We did hear some good news last night at the Chesapeake Regional Tech Council's annual Tech Awards.
Congratulations are in order for Tenable Network Security, which won the council's first Governor's Award.
Another Baltimore cybersecurity firm, Red Owl Analytics, was a finalist for that award and surely merits an honorable mention.
Cybersecurity expert Marcel Lee of the Fractal Security Group took this year's Women in Tech Award,
and two startups also earned some recognition.
Proteinus earned the Rising Star Award, and Point3 Security took home this year's Cyber Innovator Award.
Congratulations to all who won and all who
competed. Finally, remember those Panama Papers? And remember that Sadoitza Zeitink said,
there's more? Well, Computer Vodka says there's more coming in May, and we note that May begins
Sunday. The group that took the leak, the ICIJ, says it's going to post all 2.6 terabytes of data in searchable form.
Stay tuned, and have a great weekend.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.