CyberWire Daily - Magento brute-forcing. Android IM spyware. njRAT updated. Panera breach. Pipeline operator hacked. Cyber tensions. Cambridge Analytica named in class action suit.
Episode Date: April 3, 2018In today's podcast, we hear that the Magento e-commerce platform has brute forced. A new Android Trojan steals messaging info. njRAT gets an update, and some new and trendy criminal functionali...ty. Notes on the Panera Bread data breach. A major US natural gas pipeline operator has its customer billing and scheduling system hacked, which reminds observers of threats to infrastructure. Russia thinks the US and UK are no longer as decent and trustworthy as they used to be during the Cold War. Another data scandal class action suit is filed, naming Cambridge Analytica. Jonathan Katz from UMD on isogeny-based cryptography. Guest is Mike McKee from ObserveIT, discussing data exfiltration. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. And another data scandal class action suit is filed.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 3rd, 2018.
Flashpoint reports that e-commerce sites running on the popular open-source Magento platform
are undergoing brute force attacks designed to scrape credentials
and then install cryptocurrency mining malware.
Flashpoint says its researchers know of at least 1,000 Magento admin panels
the attackers have compromised,
and they say dark web operators have shown a strong interest in Magento since 2016.
Part of the problem lies with users retaining
default passwords. Flashpoint recommends enforcing password complexity
requirements, restricting users from recycling passwords, enabling two-factor
authentication, and using password managers. Trustlook researchers have
identified a new Android Trojan designed to take data from a number of widely used messaging apps.
They found the malware inside the Chinese app Cloud Module.
The malware itself has the package name com.android.boxa.
The apps being targeted include Skype, Facebook Messenger, Twitter, Telegram, WeChat, Weibo, Viber, Line, Coco,
Btalk, Momo, Voxer, Walkie Talkie Messenger, Groovio Magic Call, and Talkbox Voice Messenger.
It appears to do just one thing, extract and exfiltrate messaging data.
That singularity of focus suggests to some, Bleeping Computer concludes, that the attackers are looking for private conversations, video,
and images they might be able to use in extortion attempts.
Zscaler warns that NJRAT has been updated with ransomware and cryptocurrency stealing capabilities.
NJRAT has been in circulation since 2013.
The new version, which Zscaler is calling NJRAT Lime Edition, includes DDoS capability as well as ransomware and Bitcoin looting functionality.
It retains more familiar capabilities, including a keylogger and screenlocker.
We talk a lot about insider threats, and I have to admit, whenever the topic comes up, I can't help but thinking about the 1979 suspense classic, When a Stranger
Calls. We've traced a call. It's coming from inside the house. I squad car's going over there
right now. Just get out of that house. My sister, in particular, used to lose a lot of sleep over
that one. In the cybersecurity biz, insider threats aren't quite so dramatic and hopefully
aren't a life or death situation, but they can be scary, and I'm willing to bet there's no shortage of security professionals who lose sleep worrying about them.
Mike McKee is CEO at Observit, where they specialize in insider threat prevention,
and he joins us to take a bit of the mystery out of the topic.
The state of where we stand right now is there are too many people saying, I don't know,
whether it's, I don't know how that data got out. I don't know how big my risk is. I don't know who
I should be worried about. And I think that has a lot to do with the fact that cybersecurity has
traditionally been focused on the external threat, the malware, the ransomware, the hackers. You hear
lots about that. You don't hear as much about the insider threat, whether that be a vendor, contractor, employee.
A, because companies don't want to talk about that as much.
It's a lot easier to talk about Russia and China than it is
your own employees sending files out.
And as a result, there just isn't that much visibility
on how big that risk is and really how people get files out.
But they do know that a disproportionate greater than 50% of data breaches
involve someone on the inside.
And is it the situation where by the time we get to data exfiltration,
you've already had a bunch of things go wrong?
Yes and no.
I mean, there's the two sides of the camp.
There's the malicious actor and there's the uninformed actor.
You know, it's our belief actually that there are a lot of
early warning signals to both of those folks. If you do have good visibility and you do have
good detection, you'll see those early warning signals. We always use the expression, you'll see
the smoke before the fire and stop bad things from, you know, getting out of control or getting
really hurtful to an organization. And so what kind of early warning signals are you talking about?
Yeah, I mean, there's some basic things, you know, whether it's printing files after hours,
going to cloud file sharing services, elevating privileges, sending out large documents,
downloading certain applications from the web.
Quite often you'll see those early warning signs pretty early.
What about shadow IT, where folks who are just looking to get their work done, they
feel like IT is telling them no, so they find workarounds, and that's where you end up with
a security problem.
Yeah, I'll use another example of myself.
I often say when I'm at conferences and I pull out my USB drive and I've madly fixed
the presentation on the way to the conference, and I copy it into my USB disk, I've madly fixed the presentation on the way to the conference. And, you know,
I copied it on my USB disk. I then plugged that into the laptop where the conference presenter is.
And later I plug it back into my computer, which is not a very security conscious move.
And our security folks here have told me that. But to your point, you're trying to get your job
done. And I tell you, you see the same thing with cloud file sharing services. You see the same thing with Gmail. I mean, sometimes you can send a file, a large file
via Gmail easier than you can a corporate outlook system quite often. And once again, one thing that
we try to do is identify the barriers to people getting their work done that are causing them to
go outside the rules or outside the security policies, because sometimes those can be easy
fix for an organization such that their employees don't have to go outside the rules or outside the security policies, because sometimes those can be easy to fix for an organization,
such that their employees don't have to go outside the rules to get their job done.
So in your mind, how much of the solutions to these sorts of things are a technology thing,
and how much of it is a person-to-person educational type of thing?
Yeah, you know, I always say it's people, process, technology, in that order, which is sort of weird for a technology vendor to say.
But on the people side, it's, you know, it used to be the case that you wanted to know where your critical assets were.
On the people side now, it's knowing who those high risk users are, who are those people that have access to very valuable information and may be in a position to be sending that information out.
So it's very important to have education, to your point.
It's very important to have processes.
I always say insider threat's a team sport because you're dealing with people, not with machines.
And as a result, you have to have good processes between HR, legal, IT, and InfoSec.
And then, obviously, technology can help you along the way.
But technology by itself isn't going to be the silver bullet if you don't have a lot of education, a lot of buy-in organizationally, and people know what's happening and know what they're allowed to do and not allowed to do, as well as processes for when things start to go wrong.
And then it all starts with visibility.
And that you can have fancy artificial intelligence or machine learning or heuristics
or whatever the word of the day is, but it's only as good as the data that you have.
And that data needs to give you a very comprehensive view around what people are doing
as well as alerts that give you early indication when they're doing something outside of the policies.
That's Mike McKee. He's the CEO of ObserveIt.
Panera Bread is receiving poor reviews for the security of its online ordering system
in the wake of the data breach disclosed yesterday by Krebs on Security.
Lost data includes customer names, their email and physical addresses,
their birthdays and the last four digits of their credit card numbers.
Millions of customers who ordered food online from PaneraBread.com are potentially affected,
but the company has told Reuters that not only is the issue resolved, but that Panera
has concluded that less than 10,000 customers were potentially affected.
Panera was, according to Graham Cluley, who has an account on Bitdefender's Hot for Security site,
notified of the problem back in August by researcher Dylan Hoylehan,
but were slow to either believe his disclosure or take action.
The company's site was still experiencing problems as recently as yesterday,
and the true number of customers whose data may have been lost seems to most observers
likely to be significantly higher than Panera's estimated ceiling of 10,000.
Energy Transfer Partners, a major U.S. natural gas pipeline operator, announced Monday that
its operations were being affected by a cyberattack against its electronic data interchange.
The interchange, which expedites shipping and billing to customers by machine-to-machine document transfers,
is a third-party system provided by Energy Services Group, LLC.
There's been no attribution. Investigation and remediation are continuing.
It's worth noting that the attack affects IT systems and not, insofar as is known, OT systems.
Energy Transfer Partners says operations will continue during remediation.
The attack, which appears to be the work of criminals and not state espionage services,
has reminded many of recent U.S. government warnings
that Russian cyber operators are conducting apparent battle space preparation of U.S. infrastructure.
Phil Nire, VP of Industrial Cybersecurity at Boston-based CyberX,
realizes that while this isn't the grid-killing attack so many people fear,
it's a disturbing harbinger of what may come.
Nire said, quote,
The FBI DHS alert makes it clear that our critical infrastructure
is in the crosshairs of our adversaries.
This looks like a financially motivated cyber attack, likely by cyber criminals,
but we've seen in the past that cyber criminals often collaborate with nation-states
and share hacking tools with each other.
It's easy to imagine a ransomware attack that uses nation-state tools
to hijack ICS SCADA systems and hold the pipeline hostage for millions of dollars per day.
It's natural that such thoughts should turn to Russia during this period of heightened tensions
recently made worse by Russia's attempted assassination by nerve agents of Sergei Skripal,
a former GRU officer who spied on behalf of Britain's MI6,
and Skripal's daughter Yulia in Salisbury, England.
There have been no further diplomatic expulsions over the episode,
but Russian Foreign Minister Lavrov, for his part,
thinks U.S.-Russian relations are worse than they were during the Cold War.
The U.S. and U.K. in particular have lost, Mr. Lavrov says,
the sense of decency they once possessed and are now engaged in full-on disinformation.
Other Russian officials complain of the West backing Russia into a corner.
The Russian line concerning the Salisbury attack has been that it was an Anglo-American provocation
and that Russia should be provided with evidence showing that Moscow was involved.
U.S. President Trump has been in conversations with French President Macron
and German Chancellor Merkel concerning a coordinated response
to Russian actions in the U.K. and elsewhere.
New U.S. National Security Advisor Bolton is said to favor a hard line
against Russian cyber operations in particular,
urging that the U.S. undertake cyber reprisals that would be,
as Bolton put it, disproportionate. One espionage case is unusual in that both
the Russians and the Americans want the same man. FSB officer Dmitry Dokukaev agreed to plead
partially guilty in a Russian court to sharing information with a foreign intelligence service,
presumably an American one.
Dokukaev is in trouble with both sides in the spy versus spy squabble.
The FBI also wants him in connection with the Yahoo breach.
They've got him on a wanted poster and everything.
Finally, class action lawsuits in the Facebook and Cambridge Analytica data scandal continue
to accumulate.
The latest one has been filed in the U.S. District Court for the Southern District of New York,
alleging blatant disregard and misuse of sensitive personal data.
There will surely be more like this to come.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Jonathan Katzatz he's a professor of computer science at the university
of maryland and also director of the maryland cyber security center jonathan welcome back uh
i saw a story come by and it was talking about isogeny based post-quantum crypto now you and i
have uh sort of joked about how you throw the word quantum into anything cryptography related and people's
ears perk up. But isogeny based crypto is something that I'm unfamiliar with. Can you
explain to us what are we talking about here? Well, let me first of all, set a little bit of
the context. You know, many of the listeners might know that there's a big concern now about the
possible advent of quantum computers, which would basically be able to break all the public key
cryptography that we're currently using on the internet.
So people in general are now actively trying to design what are called post-quantum cryptosystems
that would remain secure even against a quantum computer.
And in fact, NIST, the National Institute of Standards and Technology, is currently
running a public competition to try to vet some algorithms that would have this post-quantum
security. And isogeny-based cryptography is basically one of these methods that people
are proposing that is a new method. It's not something that's currently deployed or that's
currently in use, but it's something that people believe might have a chance of being resistant
even to quantum computers. Can you share some of the details of it without getting too in the weeds
mathematically? Well, I can try. At a high level, actually, it's very similar to Diffie-Hellman
Key Exchange, if people are familiar with that concept, where basically you have two users,
each with their own secret. And based on their own secret and some public information,
they're able to compute a shared key. And so it's the same underlying idea here.
The biggest difference is that rather than working in kind of a regular group,
what's called an abelian group, they're using a more general mathematical structure.
And the reason for that is because quantum computers are able to solve, actually,
the hard computational problem on abelian groups,
but they're not able to solve it on systems based on these isogenies.
So they're taking advantage of, I guess,
a thing that the quantum computers aren't as good at.
Yeah, exactly.
They're taking advantage of a hard computational problem
based on elliptic curves,
but actually I want to stress it's different from the elliptic curve cryptography
that's already in use. But it's a problem based on elliptic curves, but actually I want to stress it's different from the elliptic curve cryptography that's already in use.
But it's a problem based on elliptic curves, and that problem we currently don't know how to solve on a quantum computer or on a classical computer efficiently.
So it seems like a promising potential candidate for quantum-resistant cryptography.
And where are we along with this? Are we still just in the research stage, or is this something we'll see anytime soon?
Definitely in the research stage, or is this something we'll see anytime soon? Definitely in the research stage. Actually, I was looking earlier today,
because like I said, NIST is running this public competition, and you can go online and take a look, actually, at all the algorithms that have been submitted. And it looks like there's only
been one algorithm submitted based on isogenies, whereas there are some other techniques, for
example, lattices, that have a lot more submissions based on those techniques.. Whereas there are some other techniques, for example, lattices,
that have a lot more submissions based on those techniques.
So it looks like people are still very unsure
about how these isogeny-based crypto systems
are going to play out
and what kind of security they can get.
But it's definitely an interesting area of research.
All right.
Jonathan Katz, thanks for joining us.
Thank you.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
teams, and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.