CyberWire Daily - Online banking funds transfer fraud. Telegram and phone scams. FCC regulatory update. Insider threats in the IC. And bad robots.
Episode Date: March 2, 2017In today's podcast we hear about how a criminal gang is deploying sophisticated malware against remote banking system customers. Business email compromise continues to appear in the wild—be good to ...your proofreaders, CEOs. Telegram being used by phone scammers. FCC privacy and caller-ID blocking regulations debated. Vulnerable WordPress plug-in found. Markus Rauschecker from the University of Maryland Center for Health and Homeland Security reviews the privacy implications of Smart Cities. Tony Guada from ThinAir explains the weaponization of data. And life sure was a lot easier before toys became part of the IoT. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A criminal gang deploys sophisticated malware against remote banking systems customers.
Business email compromise continues to appear in the wild.
Be good to your proofreaders, CEOs. Telegram being used by phone scammers. FCC privacy and
caller ID blocking regulations are debated. A vulnerable WordPress plugin is found.
And life sure was a lot easier before toys became part of the IoT.
Part of the IOT.
I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, March 2, 2017.
There's a bit of a crime wave in progress against Russian banking customers.
The remote banking system is reported to be under attack, again, by the RTM gang, which operates a phased campaign, backdoor, compromise,
reconnaissance, data exfiltration, and theft of funds. Their attacks focus on online banking,
but the campaign is directed against business customers as opposed to the banks themselves.
RTM malware inspects drives and browsers and affected systems for indications of remote
banking activity.
It's particularly alert for a particular accounting software package, 1C Enterprise 8.
The malware then finds and alters an export file that contains bulk transfer details related to remote banking system payment orders, and this is how they make their profit.
The Bratislava, Slovakia-based security firm ESET, who's been tracking RTM for
some time, finds their modus operandi reminiscent of Bootrap, but believes the two gangs are
unrelated. Their methods of infection are different. Bootrap relied and relies on spearfishing,
whereas RTM uses a variety of vectors, including spam and drive-by downloads. Most of the victims have been
in Russia, but there are reports of smaller infestations in Germany, Kazakhstan, the Czech
Republic, and Ukraine. This is a relatively advanced campaign, showing some technical
sophistication, but other, less tech-savvy forms of fraud remain endemic. The SANS Institute's
Internet Storm Center has a report
on another classic case of business email compromise, the kind in which a spoofed email
that purports to be from a company's CEO or other responsible officer instructs finance, payroll,
or some other corporate office to transfer a large sum of money to a criminal account.
As so often happens, these bogus instructions succeed in bypassing email
screening systems. In this case, the unnamed company benefited from alert proofreading,
so copy editors may be your last line of defense.
Trustwave reports finding a remotely exploitable issue in the Telnet administrative interface
of various DBL tech devices. A flawed proprietary challenge and response authentication system
could give an attacker root access to a device.
ThreatGeek describes how the privacy-friendly messaging app Telegram
is being exploited by phone scammers.
Messaging apps are becoming more popular with scammers
as a way of evading do-not-call rules.
If a scammer already has a phone number in their contact list,
Telegram will tell them if that number is associated with a Telegram account.
Once they have you on Telegram, they're off to the all-too-familiar races,
offering non-existent government benefits, discount siding,
sure-fire penny stocks, the opportunity to perform good deeds for Nigerian royal widows, and so on.
There are other issues of phone privacy and the regulation thereof under discussion in the U.S.
The FCC, as expected, has voted to back away from privacy rules the broadband industry argued were unfairly burdensome.
And in response to a series of bomb threats, some senators, notably Charles Schumer, a Democrat from New York,
are asking the FCC to grant Jewish community centers permission to bypass caller ID blocking.
Sucuri researchers report finding a SQL injection vulnerability in the NextGen Gallery WordPress plugin.
Sources believe it could affect in excess of a million websites.
NextGen Gallery is a picture-handling plugin widely used on WordPress sites.
A term that gets thrown around a lot is the notion of data being weaponized.
Weapons come in all shapes and sizes, from peashooters to Death Stars. So for some clarification, we checked in with Tony Goda, CEO of security provider ThinAir.
Even the choice of words, which is weaponizing data,
the question is, can it be used in a defensive or offensive posture?
But in most cases, it's being used in a way that whoever's being used against
normally wouldn't act in that way.
So you're using it as leverage in some shape or form.
Can you give us some examples of where data has been weaponized against someone?
Yeah, anytime that you have a crypto locker that exists within an organization.
So if their crypto locker will then go and encrypt the document
and refuse to release the keys in the event,
so that the organization will then pay money in the form of a ransom.
So they're using the data as a weapon against the organization itself.
In other cases, it can be used in a blackmail scenario where you've got all different types
of espionage utilities that exist on personal cell phones that collect all types of damaging
personal information.
And then if you don't react in the way that the blackmailer expects,
then you risk that personal exposure. So I think there's tons of scenarios where that exists.
So in terms of people protecting themselves against this sort of thing,
what kinds of options do they have?
Yeah, I think it really depends on the threat. But I think in terms of, I think the first thing
is that most people don't have any visibility or an inventory of where all the sensitive information is throughout an organization.
So you can't protect what you can't see.
Traditionally, large companies and even people, they just don't know how exposed they are.
So I think starting with that, it's a pretty big deal.
So for instance, when the DNC servers were hacked, there was this huge cache on the servers themselves of all this information, and there was a huge cache of, you know, sensitive information that
existed on, you know, people's endpoints. So knowing that it's there, you could have been
taking protective measures or defensive measures to protect the information as it's at. So I think
that's the first thing you need to do. But then also recording the activity that occurs against
that information.
So today, if you think about all the physical things that we do with the things that we care most about.
So if you go into a warehouse, there's an inventory of all the physical things that exist within a warehouse.
There's a camera that sits in the corner and watches what people physically do with all the items inside the warehouse.
And there's guards posted outside.
So you have this well-defined, very
kind of thoughtful security posture when it comes to the physical assets. But when it comes to
digital information, there is a much less well-defined, a much less rigid, or a much less
kind of thoughtful security posture. So you don't have an inventory of whoever touches information.
You don't have what we like to call an information chain of custody.
You don't know what people know.
You don't know what people have seen.
You don't have any recording technologies around information.
So it's not just like taking screenshots of what people have on their desktop or keystroke recordings of what they actually type,
but some attribution of information, how it's being used
throughout the organization. Like, you don't have that capability. And that's actually something
that we think is the future data security, is that particular type of posture, which is what
we actually built. That's Tony Goda from ThinAir. There is some patch news this week, some of it
coming from within the security sector itself.
Zscaler has patched a cross-site scripting bug in its admin portal.
Rapid7 discloses eight vulnerabilities in its products and issues either patches or mitigations for them.
Slack has fixed a cross-origin token theft vulnerability in its popular cloud-based collaboration tool.
vulnerability in its popular cloud-based collaboration tool.
And finally, really, we're officially creeped out by the connected toys and household robots.
As CloudPets files its surveillance stuffed animal breach notification with the California Attorney General, security company IO Active reports on the general state of robot security,
and the state of the robots is not good.
It's not that the robots
are necessarily as leaky as teddy bears. It's more that the robots are easily hackable.
And since Microsoft has shown that AI can now code, where's all this heading? All in all,
we were much happier when the toys you had to worry about were things like lawn darts.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly
humorous film from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
It's not just a challenge, it's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
Joining me once again is Marcus Roschecker. He's the Cybersecurity Program Manager at the
University of Maryland Center for Health and Homeland Security. Marcus, I saw a story come by on the NextCity website,
and it was called, What Plugged-in Cities Mean for Personal Privacy?
You know, we've certainly got this move towards cities becoming smart cities,
and that could have some privacy implications for people.
Oh, absolutely, yeah.
I think, you know, in general we've seen that, especially in the private sector, companies are collecting a lot of information about their customers.
They use that information and monetize it because all that information can be very powerful when put together.
And I think the government and municipalities have certainly caught on to this as well, that as they collect information that can can be used in a lot of ways, a lot of
beneficial ways, but of course it also raises privacy concerns among citizens.
And the cities are saying that there are some useful ways for the greater good, for example,
using this to help fight crime.
Yeah, absolutely.
There's been a big push in a lot of municipalities for the use of big data to fight crime.
And algorithms can be used using all this various data that's now able to really predict with great accuracy where crimes might take place and they can send police officers to
those areas and actually prevent those crimes or find the criminals really quickly. So that
certainly has a big benefit for the greater good in that regard. But at the same time,
this kind of predictive policing and other uses
of big data by cities and towns have raised concerns about privacy. And, you know, opponents
say that some of this predictive crime fighting and other uses of data certainly have an effect on
people's privacy, their expectations of privacy. A lot of information can be deduced about individuals using this big data, these data
sets.
So there's concern there.
And then when it comes to predictive policing, there's certainly some out there who say that
this can disproportionately affect certain geographical areas or certain populations.
And that there's a danger in this almost blind reliance on big data
to do the policing or other activities when the human aspect is really then secondary.
You know, there's also this concern that a lot of information that perhaps seems to be anonymous
can be plugged together, can be put together, can be connected
using algorithms and data analytics. And certain things can be deduced and identities can be
revealed through that analysis. And certainly that's very concerning when we want to make sure
that certain data is protected and sensitive. We don't necessarily want to be able to deduce these things
just because we have these massive data sets. Marcus Roshecker, thanks for joining us.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Thank you.