CyberWire Daily - LifeLock closes proof-of-concept hole. US-CERT warns of active campaigns against ERP applications. Ad blockers may function as spyware. Parasite HTTP RAT. Underminer EK. NSA's IG scowls.
Episode Date: July 26, 2018In today's podcast we hear that LifeLock gets locked down—probably no harm done, maybe. US-CERT warns of active campaigns against ERP applications. Ad blockers may be doubling as spyware. A new RAT... gnaws away at corporate HR departments. Underminer shows that exploit kits aren't obsolete after all. NSA gets a bad report from its IG. Congress worries over Russian infrastructure reconnaissance and influence operations. Iran's OilRig and Leafminer remain active regional threats. Joe Carrigan from JHU ISI on infosec pros reusing passwords. Guest is Jessica Ortega from SiteLock, discussing how having social media icons on your website increases the odds of falling victim to attacks.  For links to stories in today's podcast check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/July/CyberWire_2018_07_26.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
LifeLock gets locked down.
Probably no harm done. Maybe.
U.S. cert warns of active campaigns against ERP applications. Ad blockers
may be doubling as spyware. A new rat gnaws away at corporate HR departments. Underminer shows that
exploit kits aren't obsolete after all. NSA gets a bad report from its IG. Congress worries over
Russian infrastructure reconnaissance and influence operations. and Iran's oil rig and leaf miner remain active
regional threats.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Thursday, July 26, 2018.
Here's an alert for consumers.
One of the better-known identity protection companies, LifeLock,
has fixed a problem with its systems that enabled any interested party
to browse and index customer email addresses to customer accounts.
It would have been possible for an attacker to unsubscribe customers from LifeLock communications.
More seriously, it could have facilitated spoofing millions of LifeLock customers
with phishing emails purporting to come from LifeLock. Symantec, which owns LifeLock,
issued a statement this morning in response to coverage of the proof of concept by Krebson
Security that should put customers a bit at ease. Quote, this issue was not a vulnerability in the
LifeLock member portal. The issue has been fixed and was limited to potential exposure of email addresses on a marketing page,
managed by a third party, intended to allow recipients to unsubscribe from marketing emails.
Based on our investigation, aside from the 70 email address accesses reported by the researcher,
we have no indication at this time of any further
suspicious activity on the marketing opt-out page, end quote. The U.S. Department of Homeland
Security's U.S. CERT has warned businesses that hackers are actively targeting SAP and Oracle
enterprise resource planning applications. Those are ERP applications. SAP and Oracle are the market leaders in this important
segment. Their products are widely used across many business sectors. The warning from U.S.
CERT was prompted by release of research by ERP security specialist firm Onapsis and risk
management firm Digital Shadows. ERP applications are especially attractive to hackers because of the sensitivity
of the data they handle and store. Business intelligence, customer relations, asset lifecycle
management data, supply chain information, and human resources data. There are hundreds of
thousands of ERP implementations worldwide, and the researchers note that what they call
an astounding number of those implementations are insecure.
According to Enapsis and Digital Shadows, there's been a dramatic rise in attacks detected,
and also a spike in dark web chatter related to ERP vulnerabilities.
The criminal markets operating in the dark web appear to be doing a brisk trade in ERP exploits,
particularly exploits for SAP HANA.
The attackers represent the full mix of usual suspects,
criminals, hacktivists, hobbyists in it for the voyeuristic lulz,
and of course national espionage services.
The researchers have identified nine campaigns
mounted against ERP applications by recognizable hacktivist groups.
The criminal attention comes to a significant extent
from Russian-speaking organized crime groups.
Russians giving digital age gangland the stereotypical ethnic tone
associated with Italian organized crime provided during the U.S. Prohibition era.
Linguistic note, the Russian word for mafiosi is mafiosi, and who saw that one coming?
It's easy for enterprises to overlook ERP application security. The applications themselves,
for one thing, typically reside behind an enterprise firewall, and it's possible,
therefore, to be lulled into giving application layer security a somewhat lower priority,
for to be lulled into giving application layer security a somewhat lower priority, assuming that the firewall is taking care of business.
But ERP applications, especially post-cloud migration, present a large and attractive
attack surface, and enterprises would do well to devote some attention to application layer
security, the research says.
Does your organization's marketing department use social media icons on your website
to help promote their presence on places like Twitter, Facebook, or LinkedIn?
Well, researchers at security company SightLock discovered that having those seemingly harmless buttons on your site
doubles the likelihood that the site will be infected with malware.
Jessica Ortega is product marketing specialist at SiteLock.
We're talking about the icons that you put on your website that allow your visitors to go to
your social media pages. So this would be like your Twitter button, your Facebook button, your
Instagram feed, anything that would connect your users from your website to your social media
presence.
And these are certainly, I would say, fairly ubiquitous at this point. So what is the risk here? Why do folks who have these buttons here find themselves more likely to be attacked?
So there's a couple of different risks. The first is that a lot of times cyber criminals will use
social media as a way to scan for business websites. So they'll go onto Facebook or Twitter and they will build these bot programs that scan for and collect lists of URLs.
So they'll go and they'll look for anything that starts with the www or ends with.com.net.
And they'll build a list and they'll use other automated programs to attack those sites based on that list.
And then the second kind of layer of that is if you're using an application like, say, Joomla or WordPress, and you're using plugins or add-ons to connect to those social media sites, those plugins may have vulnerabilities in them that could allow attackers to access like the back end of your website. So it's not necessarily a vulnerability in the functionality of the buttons
of themselves. It's that, I guess, having them there makes you more likely to be a target for
some sort of automated scanning? Right. It's not necessarily the functionality of the buttons so
much as it is the functionality of the plugin or add-on that puts those buttons there.
And then the more popular you are on social media, the more attention that you may derive.
And that may make you a target for these cyber criminals who are using automated programs to say, look for somebody who has a million followers so that they can hack them because they know that their website likely gets a lot of traffic. Now, obviously, having these buttons on
your website has an upside to channel people to your social media presence. So what do you
recommend in terms of protecting yourself or minimizing the possibility of these being a target?
Yeah, absolutely. We would never go out and say that you shouldn't have a social media presence. I mean, having a Facebook business page or a Twitter handle is almost a requirement now
if you have your own business or your own startup. So it does definitely allow you to engage with
your users and it is positive. But what we recommend is for the first layer, always make
sure that you're using two-factor authentication on your social media
handles, that you're only listing the business information that needs to be available. So
you're not sharing those posts that have surveys on them like, what was the name of your first dog,
your mother's maiden name, that kind of thing, because those do often get harvested to be used
in cyber attacks. And then on the website side, if you're using plugins or add-ons to make those buttons or make those features available on your website,
you should always make sure that you're going in periodically at least once a month and updating those plugins as security updates are released.
That's Jessica Ortega from SiteLock.
Jessica is also the co-host
of the Decoding Security podcast. Check it out. It's worth a listen.
Android ad blockers may be a bit too nosy for comfort. Researchers at the firm AdGuard have
taken a look at some of the more commonly used ad blocking extensions for Chrome,
and they've noticed that they collect and report a good bit of information
about the user's browser history back to the app's controllers.
The family of extensions AdGuard cites as amounting to potential spyware
are produced, AdGuard says, by a company called Big Star Labs,
apparently incorporated in the U.S. state of Delaware,
but doing business who knows where.
Proofpoint this morning announced its discovery of a new remote-access Trojan
being traded in criminal markets.
They're calling the rat Parasite HTTP,
and they say it's noteworthy for a big bag of evasive tricks,
including sandbox detection, anti-debugging capability,
anti-emulation measures, and so on.
It's also modular, which enables the hoods who control it to add functionality once it's installed.
Parasite HTTP spreads by phishing.
It's delivered as a malicious attachment to an email directed to various human resources-related distribution lists,
usually good guesses at what names those lists might have.
HR at a domain, recruiting at
a domain, accessibility, resumes, that sort of thing. So far, Proofpoint has seen Parasite HTTP
in a single campaign directed at the IT, healthcare, and retail sectors. But any business would do well
to remind its employees that not all proffered resumes or CVs, the typical fish bait used in the campaign, are what they seem.
Trend Labs is tracking Underminer, a cryptojacking bootkit with an encrypted TCP tunnel.
It infects its victims with a bootkit and also a cryptojacker called Hidden Malifera.
The kit transfers its malware over an encrypted TCP tunnel
and packages its payloads in a customized format.
TrendLab says the format is similar to ROM file system format, and that makes them resistant to analysis.
One lesson Trend Micro thinks the activity holds is that exploit kits may have fallen somewhat out of fashion, but they're by no means gone.
have fallen somewhat out of fashion, but they're by no means gone.
The U.S. National Security Agency has received a starchy report from its inspector general.
The NSA IG found that the agency's analysts performed searches under NSA's Foreign Intelligence Surveillance Act authority that were non-compliant.
The problem seems to involve, for the most part, fumbling of complex safeguards.
The IG cites, quote,
human error, incomplete understanding of the rules, and gaps in guidance, end quote,
as the causes of the lapses, but the report is an uncomfortable one,
by no means a letter of recommendation.
As U.S. congressional and other attention continues to be lavished on the threat that Russia poses,
by general consensus and specific evidence to both infrastructure and elections,
security firms warn of an increase in cyber activity emerging from Iran.
Palo Alto Networks repeats its warning of the oil rig campaign against the energy sector.
Symantec notes that the Leaf Miner Group, also thought associated with Tehran,
represents a rising threat, still stumbling but eager to learn, and clearly on its way up.
Iran's recent cyber activity has focused on regional rivals and associated targets,
but this seems a matter of strategic decision and not necessarily a sign of limited capability.
strategic decision and not necessarily a sign of limited capability.
And finally, the U.S. Congress intends to invite tech industry leaders back to Capitol Hill to testify about what they can or should or might do to fight election influence operations.
The companies so far invited will surprise no one.
They're Facebook, Google, and Twitter.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host on the Hacking Humans podcast.
We had an interesting story come by
from HelpNet Security.
It's titled,
Many InfoSec Professionals Reuse Passwords
Across Multiple Accounts.
Something you and I
have spoken about many times. Passwords
and password managers. Is this
do as I say, not as I do?
It sounds like it.
I'd like to see more granularity on this
report. It says about 45% of
them use it. So let's take
a couple of websites, for example.
Let's say I'm going to log
onto something. I just need some information to get something. And they're going to say,
we need you to log in and create an account in order to get this information. Well, guess what?
You're not getting top-notch security. I don't really care if this account gets breached. I'm
not even going to ever log into it again. So maybe- So you're going to have a throwaway password
you may use for that. Maybe
I'll use a throwaway password. You're not going to fire up your password manager and waste a
hundred digit long random thing on that password or on that site. Okay. Yeah. But I mean, but that
doesn't mean that I don't use a password manager for every single one of my sites. It does matter
to me. Like my every email account that I have has its own individual password and they're long and they're complicated. Every financial website I
access, same thing. Everything that is of consequence, it's a risk determination of
mitigating of the likelihood, which I consider to be very high likelihood that some site's going to
be breached, right? But then I have to consider
also the impact of that site being breached. Like, for example, I recently was on Truecar
and created an account with a disposable email address. Do you think I care about that password
if I'm checking the price of a car I'm looking at? No, I don't care. It doesn't matter.
Yeah. I have to say, before I used a password manager, I was certainly guilty of this.
Right.
For the reason everybody says.
It's easier to reuse or cycle through what are now easily guessable variations of password bases.
Right.
Yeah, there's that paper from Virginia Tech we talked about a while ago.
Yeah, there's that paper from Virginia Tech we talked about a while ago.
I think that was on the Hacking Humans podcast.
They said if you change your existing passwords in a minor fashion, then if I know one of your passwords, I can guess another one of your passwords in less than 10 guesses.
Right.
So you shouldn't be protecting your accounts for things like bank accounts or even Netflix.
You shouldn't be protecting a Netflix account because if somebody gets into your Netflix account,
that actually becomes a denial-of-service problem for you.
It's interesting.
This survey also found that 20% of security pros had used unprotected public Wi-Fi.
What's your take on that?
That actually seems low to me.
Yeah, generally, first off, yeah, I think it is low.
I have connected to unprotected Wi-Fi, but I always use a VPN when I do so that I know that the connection is secure between me and the VPN.
Even from your mobile device?
Even from my mobile device, yes.
Okay.
Actually, for my mobile device, I have unlimited data,
so I generally don't even connect to my home Wi-Fi for that.
I just use the mobile Wi-Fi network or the mobile data network.
Sometimes when I travel, I do wind up in places where I'm not connected to a secure site,
so I do have to use a, like just last weekend, I was at a place where they have an open Wi-Fi,
and I don't have a lot of data access.
So from time to time, I would have to connect to that network. And yes, I turned on my VPN, which I pay for.
If you get a VPN, make sure you're paying for it.
Because like Tim Cook says, if you're not paying for it, you're the product.
Right.
The product I purchase allows me to use the VPN from up to five devices, I think.
So my phone is one of them.
Right.
So remember, don't just talk the talk, walk the walk.
Great job, brother. That's right. All right. Joe, as always, thanks for joining me. It's my pleasure, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Alexa Smart Speaker 2.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next
generation of cybersecurity teams and
technologies. Our amazing Cyber Wire
team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.