CyberWire Daily - Magecart continues its way. Evil cursor attacks. Seasonal trends in Trojans. More Novichok disinformation. Pyongyand denounces a "smear campaign." Wait and see on pipeline fires.
Episode Date: September 14, 2018In today's podcast we hear that Magecart has achieved another library infestation as Feedify is hit. An evil cursor attack is a variant of a familiar tech support scam. The Ramnit banking Trojan... seems to be spiking during the summer, and there are various theories as to why this might be so. More Novichok disinformation is out. Safari url spoofing seems more nuisance than serious menace. North Korea denounces the US for a "smear campaign" against the Lazarus Group, which doesn’t exist, either. Joe Carrigan from JHU ISI shares his frustrations with his bank’s insufficient password practices. Guest is Ron Gula, former CEO and co-founder of Tenable Network Security, currently President at Gula Tech Adventures which focuses on investing and advisement of two dozen cyber-security companies. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_09_14.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Magecart counts another library infestation as Feedify is hit.
An evil cursor attack is a variant of a familiar tech support scam.
The Ramnet banking trojan seems to be spiking during the summer.
More Novichok disinformation is out.
Safari URL spoofing seems more nuisance than serious menace.
And North Korea denounces the U.S. for a smear campaign against the Lazarus Group,
which doesn't exist either.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday,
September 14th, 2018. The Magecart gang appears to have hit another victim this week,
moving on from its successful breach of British Airways to an attack on customer engagement company Feedify.
It succeeded in compromising Feedify's shared JavaScript library, an attack that's consistent with the gang's long-standing practice of going after targets in the supply chain. We've been calling Magecart a gang, but really it's a few different groups
now using the same commodified malicious code
as the RiskIQ researchers
who've been following Magecart
explained to InfoSecurity magazine.
Feedify had actually been infected back in August
and cleaned out the bad code.
This latest incident is a re-attack.
RiskIQ recommends that anyone using the library remove
the JavaScript link from their stores as soon as possible. Malwarebytes notes the appearance of an
evil cursor attack that affects recent versions of the Chrome browser. It prevents users from
closing a window or a tab by clicking the usual X at the top, instead displaying a scare pop-up to drive nervous users
to the criminal's bogus service offerings.
Virus alert from Microsoft. This computer is blocked, the screamer reads.
Below, it advises, do not close this window and restart your computer.
As it explains why we block your computer,
the pop-upup syntactic control grows
looser and less idiomatic, certainly nothing that they'd tolerate at Redmond. The reason why they
block your computer is the usual argle-bargle designed to scare the timid. It's an illegal
registry key. This window is using pirated software. This window is sending virus over
the internet. This computer is hacked or used from undisclosed location and so on.
But they've got your interests at heart.
We block this computer for your security.
And when you care enough to block a computer,
naturally you care enough to provide a toll-free helpline.
Obviously, don't bite.
Just shut it down and move on.
It's not from Microsoft, and may we express some sympathy for Redmond Obviously, don't bite. Just shut it down and move on.
It's not from Microsoft, and may we express some sympathy for Redmond over being such impersonation fodder.
Console yourself, Microsoft. It comes with being a market leader.
The evil cursor is, in effect, a wrinkle on a scareware tech support scam,
with a twist that it actually does block you from using that X to exit a browser tab or window.
A number of organized criminal groups are using the evil cursor attack,
with the partner Stroka gang first among equals.
Malwarebytes is working with the Chromium team at Google to put a stop to this nonsense.
We hope they can do something.
Evil cursor sounds pretty bad, and if an evil maid got a hold of an evil cursor, why, it'll be pretty much Katie bar the door, right?
Security firm Checkpoint has been following the Ramnit banking trojan, and they see a seasonal pattern.
It seems to them to peak during the summer. This is the second year they've observed a surge from May through July.
This is the second year they've observed a surge from May through July.
SC Magazine points out that Ramnet, for the most part, works by turning victim machines into malicious proxy servers.
Why there is this apparent seasonal peak isn't clear.
Some researchers poo-poo this phenomenon.
Security firm WatchGuard, for one, told SC Magazine it hasn't really seen the same thing and that they'd need more data to understand it.
But they do offer some speculation.
Maybe there are a lot of school-age kids out there on summer break
with too much time on their hands.
Kids these days.
They used to hang out on street corners smoking and throwing rocks at cars.
Now they mess around with commodity Trojans.
Or here's another explanation.
Maybe the kids are all right,
researchers at Trustwave's spider labs think, and maybe it's the IT and security staffers coming
back from the annual two weeks that contract and custom entitled them to spend at Perth Amboy or
Wells next to the sea. When they get back to the job, the email's been accumulating and the inbox
is a mess. So in a rush to clear it out, maybe
their usual vigilance and skepticism aren't quite there, so they inadvertently swallow more fish
bait. Or as security experts at Fujitsu point out, someone else less wary than the usual crowd
could be filling in for them while they're off playing miniature golf in Ocean City, and blammo, all of a sudden, you're infected.
In any case, seasonal trends are interesting,
and sometimes difficult to get a handle on.
Speaking of holidays,
the two GRU goons British authorities fingered for the Salisbury nerve agent attacks
have now appeared on Russian television as part of Moscow's continuing dissembling.
Alexander Petrov and Ruslan Bolshirov said sure, they were in the UK,
but that they're just a couple of sports nutrition enthusiasts
who went to Salisbury as innocent tourists interested in seeing Stonehenge and the cathedral.
And sure, maybe they went by the Skripals' house, but that was an accident,
because they've never heard of anyone named Skripal, and besides, they didn't know where
they lived. Prime Minister May's spokesman at No. 10 calls the gentleman's interview
blatant lies and fabrications and an insult to the public's intelligence.
It's hard not to agree, but unlikely insistence is a common motif in information operations.
The incident's whole aftermath would be comedy, comedy that it is,
if it didn't involve nerve agent poisoning, several injuries, and at least one death.
The Safari browser flaw reported this week does make URL spoofing easier,
but consensus seems to be that it's more likely to be a nuisance than a major threat.
An easy protection, Sofo says, is to stay clear of easily impersonated HTTP sites.
North Korea denounces the U.S. indictment of one of its Lazarus Group hackers as a smear campaign,
which of course North Korea would.
The indictment is part of a long-running American policy
of charging officers of foreign governments with hacking offenses.
It raises some interesting questions about drawing a line in espionage.
Destruction or theft would seem to be actionable,
and that's the line U.S. authorities have tended to be most comfortable drawing.
Information operations or simple espionage
seem arguably more complex,
as a piece in The Economist points out.
Would traditional signals intelligence
be as offensive as various forms of cyber espionage?
Does disinformation somehow seem worse
if it's committed over Twitter
than if it's distributed in the form of leaflets?
The answer many seem to want to give is that the cyber forms seem somehow worse.
Finally, there's much mutually amplifying woofing in social media
to the effect that gas explosions in the U.S. Commonwealth of Massachusetts
were the result of cyber attacks.
This is grossly premature speculation,
as people who work in industrial control system
security have been quick to point out. The incident is under investigation, and such inquiries take
time. There are plenty of accidents, and most of them are just that. So let's wait and see.
Not everything happens for a nefarious reason. faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
He is also my co-host on the Hacking Humans podcast.
Joe, good to have you back.
It's good to be back, Dave.
You know, we had a story come by from The Register where they interviewed someone by the name of Joseph Kerrigan.
Really? Yes, a registered reader who was having some issues with some password information
with a bank that he does business with.
Joe, fill us in on this story.
Right.
So I went to one of the banks with whom I have a credit card.
Right.
And like I have always said, and I practice what I preach, I use a password manager.
I use very long and complex passwords for every
site that is important to me that I deem would be bad if someone got a hold of the password.
I also have a personal policy where I change the passwords frequently, with some frequency,
not frequently, but I change them like once every 90 days or 180 days.
All right, you're on a rotation.
I'm on a rotation.
Now, there's some research out there that says you shouldn't force users to change passwords.
Yeah.
And that's actually valid research, and it has a different thing.
But that's coming from the policy side.
Right, because that encourages password reuse.
Exactly.
Whereas you're spinning up long, random passwords, so you don't have that problem.
On a personal policy, I still think it's a good idea to periodically change your passwords.
Okay.
Because that protects you against the breach that you don't know about.
Okay.
Right?
Sure.
Or even the company might not know about.
So I go to the password change interface, and I can log in using my password manager, no problem. But when I go to the password change interface on this particular site,
and I click Control-V to paste my current password in, and nothing happens.
So I try it again.
I try it all up.
Nope, can't do it.
Can't do it.
So I actually called their customer support line, and I got tech support,
the first-level tech support, and I said,
I can't change my password
with my password manager.
And they're like, yeah, you're going to have to manually enter it.
I said, my password is 30 characters long.
I say, listen, that's going to require 90 keystrokes of random characters, and there
can't be any mistakes in that.
I don't have those kind of typing skills.
Yeah.
Right?
Right.
You need to be able to, and the first level person was very insistent, no, you're going
to have to read.
So I said, I don't think you're understanding what the problem is here.
So I get to the second level tech support.
Okay.
And I say, is this by design?
And this person tells me, yeah, it's by design.
We don't want people pasting passwords into the field.
And I said, that is a bad security practice.
You should not be doing that because it prevents people from using a password manager.
Well, let me play devil's advocate here, because I think one of the issues where I can see why
they would do this is that we've seen certain types of malware, particularly when it comes
to trying to steal cryptocurrency, where they go after the cut and paste buffer.
That's where they target.
They look for you to be cutting and pasting things because that could be a weak link.
That's in the clear, right?
You're cutting and pasting things.
Yeah, but a password does have to exist in the clear momentarily because the password manager I use actually clears out that field shortly
afterwards.
However, that is the same risk as having a key logger on your computer where they could
just get a sample of my username and password from my keyboard entry.
So the risk is, you know, it's one risk or the other.
And the risk is, so I don't view those two risks as being significantly different.
Either I'm cutting it and pasting it or I'm entering it manually.
One of the two is going to have to happen.
So the password manager I use is Password Safe.
It was designed by Bruce Snyder, who's a well-known person.
Everybody in security knows who Bruce Snyder is, right?
Yep, yep.
But one of the things they have as a feature of that product is you can perform an auto-type,
but you have to go into the settings and change the auto-type settings
because the default auto-type settings is it will send the username,
it will send a tab character, and then it will send the password,
and then it will send a return character.
I see.
So you just have to change it to send just the password character,
or just the password rather.
I see.
You change with a backslash P.
So rather than doing a cut and paste, the software can be configured to actually do the typing.
Correct. And that, if you're really concerned about somebody capturing your buffer, you can
use that feature of the program. Although you're probably then again vulnerable to the keyboard
logging because it still counts as an input device. All right. Well, it's an interesting
story. Again, it's over on the
register. You can search for Joe Kerrigan and you'll find it there. Thanks, Joe. It's an
interesting story as always. Good to see you. It's my pleasure, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. My guest today is Ron Gula. He started his career as a penetration tester for the NSA,
but is perhaps best known as co-founder and former CEO at Tenable Network Security,
a company he helped scale to more than 20,000 worldwide customers
with annual revenue of more than $100 million.
Ron is president of Gula Tech Adventures,
which focuses on investing in and advisement
of emerging cybersecurity companies. When I was in the Air Force, I went in to be a pilot. I didn't
set out to be an entrepreneur, but I had always enjoyed computers. I had PCs, PC juniors growing
up in an Atari 400, that kind of stuff. And it wasn't until I had worked at the NSA, worked at BBN, worked for US Internetworking,
that I said, I think I have a product or an idea to help folks and possibly be an entrepreneur.
And at the time, I was using ISS RealSecure.
ISS was a network intrusion detection system.
And it was Windows only.
And this is when Linux was just coming out. This is before people had Linux everywhere and before
there were things like Snort. And I wrote something called the Dragon Intrusion Detection System,
which you could SSH into a Linux box or a free BSD box or even open BSD back in the 90s
and do network intrusion detection and network forensics.
And that was my first sort of foray into entrepreneurship.
Now, take us through the process of scaling, though, because you start off with an idea and probably a handful of people.
But Tenable is a $100 million plus company.
How do those transitions work? Are they difficult? Are
they growing pains throughout? Yeah. Scaling is a never-ending
problem. And even after you go public, like Tenable, now you got to keep scaling, right?
In many ways, it's a starting line, not a finish line of going public. So if you're going to scale,
I always try to tell entrepreneurs, what do you want? What is your goal?
If you can't answer that, that means somebody else is going to answer that question for you.
Probably also going to define your level of job satisfaction and happiness as well.
So I always tell people, what do they want?
And so if you're going to scale, if you're going to get customers, if you're going to try to have fun, if you're going to try to be innovative,
those are all very, very different things.
And unless you have that focus about what you're trying to accomplish, you're not going to be able to make those hard calls.
What are the things that you have your eye on today?
What's exciting you as you go out and you do things with Gula Tech Adventures?
What sort of things have your eye?
So we focus on a number of different things. First and foremost, we're obviously trying to push
cyber hygiene, cyber exposure, the Tenable Network security
message. And we still do a good bit of work with organizations who
are struggling with the realities of doing vulnerability management compliance
in a modern network. Having said that, in my post-Tenable
career, what we're focusing on is next-generation cloud,
threat, and cyber hygiene. So that includes things
like patch management. It includes things like secure voice communications.
It includes things like very radical next-generation
cloud architectures such as unikernels. Some of your readers
might not have even heard of what a unikern was, but it's sort of the next evolution
of what happens after containers and serverless
security in an on-prem environment. So we're having
a lot of fun seeing where the market's going and seeing what's
interested out there. We're also spending a lot of time with
organizations. If anybody out there wants to reach us,
we were very active when I was the CEO at Tenable meeting with people. But at the end of the day,
no matter what conversation we're having at Tenable, the answer is Tenable. Now
managing a portfolio of almost 30 companies, it's a very
interesting conversation because I can generally say where we're focusing,
what kind of problems a CIO or CSO might have. And then they'll go, oh, tell me more about secure voice. You know,
we had an executive, you know, get their phone snooped by whichever adversary country they were
visiting to. Or, hey, we're having a next generation cloud project. We're going all in
with insert vendor here. Do you have anything that can help secure, you know, Amazon Lambda, you know, for example.
So it's very interesting seeing those trends
and definitely having a lot of fun doing that.
What's your advice for that person
who thinks they may have a good idea,
may want to strike out on their own with some,
they have their own entrepreneurial spirit.
Having been through everything you've been through,
do you have any words of wisdom?
Yeah, a couple words.
So one, don't confuse good security, a good security solution with the fact
that people might want to buy it. There's a lot of examples of people who come up with a great
security widget and the market wasn't ready for it. Market didn't want to buy it.
And even if your solution is just a little bit better than something that's out there,
you might be able to demonstrate that you're...
The CTO of Tenable told me this. If you're 5% better than
something that I deployed and it took me a year to deploy it, I'm not going to replace that.
The second thing I mentioned before is if you're going to get into
entrepreneurship and growing a company, you should have a specific
goal in mind.
And it's okay to reevaluate those goals based on your success in your market, but you shouldn't
just get involved in entrepreneurship to make money, to put a name for yourself. You should
really do it because you have passion. And if you've got passion for whatever problem you're
solving, everything else should be not really a mood point, but it should be an exercise that there's a lot of help on.
It's having that idea and that passion that you can't predict and you can't do.
So if you're somebody who's thinking about it, that's the big thing is if you've got an idea and you really believe in it, you should be able to get funding.
You should be able to tell people about your solution.
You should be able to attract other people to your company.
You should be able to tell people about your solution.
You should be able to attract other people to your company.
But unless you have that passion, you're not going to be able to really succeed and focus on that for, you know, it could be five, six years before you really make it.
Well, if you're listening to this, I know you guys have a worldwide audience.
But if you're in the military or the government and you're coming out and you've been doing services and you think you've got a commercial idea, you can definitely get into this business. A lot of folks who come out with that pedigree actually have insights that aren't typically available to academia in the commercial
world. So I highly encourage anybody with that background to think about starting a company.
That's Ron Gula from Gula Tech Adventures.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Thanks for listening. We'll see you back here tomorrow. Thank you. is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.