podcast

The CyberWire Daily Podcast

In today's podcast, we hear that the Magento e-commerce platform has brute forced. A new Android Trojan steals messaging info. njRAT gets an update, and some new and trendy criminal functionality. Notes on the Panera Bread data breach. A major US natural gas pipeline operator has its customer billing and scheduling system hacked, which reminds observers of threats to infrastructure. Russia thinks the US and UK are no longer as decent and trustworthy as they used to be during the Cold War. Another data scandal class action suit is filed, naming Cambridge Analytica. Jonathan Katz from UMD on isogeny-based cryptography. Guest is Mike McKee from ObserveIT, discussing data exfiltration.

Transcript

Dave Bittner: [00:00:00:21] Hey everybody. A quick thank you to everyone who supports us online. Whether it's supporting us on Patreon or by leaving a review on iTunes or just spreading the word about our show on Twitter or on Facebook. We do appreciate it, so thanks.

Dave Bittner: [00:00:15:24] The Magento E-Commerce platforms been brute forced. Android Trojan steals messaging information. NjRAT gets an update and some new and trendy criminal functionality. We've got notes on the Panera Bread data breach. A major US natural gas pipeline operator has it's customer billing and scheduling system hacked. Russia thinks the US and UK are no longer as decent and trustworthy as they used to be during the Cold War. And another data scandal class action suit is filed.

Dave Bittner: [00:00:50:09] It's time to tell you about our sponsor ThreatConnect. With ThreatConnect's in-platform analytics and automation you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day organizations world wide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products, designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. If you're headed to RSA this year, stop by ThreatConnect's North Expo booth 3225, for a live demo of the ThreatConnect platform and of course pick up one of ThreatConnect's famous t-shirts. And, if you're not headed to San Francisco, well you can register for a free ThreatConnect account or learn more by visiting threatconnect.com/free. That's threatconnect.com/free to learn more and we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:02:05:18] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 3rd, 2018.

Dave Bittner: [00:02:18:12] Flashpoint reports that e-commerce sites running on the popular open source Magento platform are undergoing brute force attacks designed to scrape credentials and then install crypto currently mining malware. Flashpoint says it's researchers know that at least 1,000 Magento admin panels the attackers have compromised and they say dark web operators have shown a strong interest in Magento since 2016.

Dave Bittner: [00:02:42:14] Part of the problem lies with users retaining default passwords. Flashpoint recommends enforcing password complexity requirements, restricting users from recycling passwords, enabling two factor authentication and using password managers.

Dave Bittner: [00:02:59:00] Trustlook researchers have identified a new Android Trojan designed to take data from a number of widely used messaging apps. They found the malware inside the Chinese app Cloud Module, the malware itself has the package name "com.android.boxa."

Dave Bittner: [00:03:15:20] The apps being targeted include Skype, Facebook Messenger, Twitter, Telegram, WeChat, Weibo, Viber, Line, Coco, BeeTalk, Momo, Voxer Walkie Talkie Messenger, Gruveo Magic Call, and TalkBox Voice Messenger. It appears to do just one thing: extract and exfiltrate messaging data. That singularity of focus suggests to some, Bleeping Computer concludes, that the attackers are looking for private conversations, video, and images they might be able to use in extortion attempts.

Dave Bittner: [00:03:49:06] Zscaler warns that njRAT has been updated with ransomware and cryptocurrency-stealing capabilities. njRAT has been in circulation since 2013. The new version, which Zscaler is calling "njRAT Lime Edition," includes DDoS capability as well as ransomware and Bitcoin looting functionality. It retains more familiar capabilities, including a keylogger and screenlocker.

Dave Bittner: [00:04:14:23] We talk a lot about insider threats, and I have to admit whenever the topic comes up, I can't help but thinking about the 1979 suspense classic, When A Stranger Calls.

Unknown male: [00:04:26:05] "We've traced the call, it's coming from inside the house. A squad car is coming over there right now, just get out of that house."

Dave Bittner: [00:04:35:03] My sister, in particular used to lose a lot of sleep over that one.

Dave Bittner: [00:04:38:23] In the cyber security biz, insider threats aren't quite so dramatic and hopefully aren't a life or death situation, but they can be scary and I'm willing to bet that there's no shortage of security professionals who lose sleep worrying about them. Mike McKee is CEO at ObserveIT, where they specialize in insider threat prevention and he joins us to take a bit of the mystery out of the topic.

Mike McKee: [00:05:00:06] The state of where we stand right now is there are too many people saying, "I don't know." Whether it's "I don't know how that data got out," "I don't know how big my risk is." "I don't know who I should be worried about" and I think that has a lot to do with the fact that cyber security has traditionally been focused on the external threat, the malware, the ransomware, the hackers, you hear lots about that. You don't hear much about the insider threat whether that be a vendor, a contractor or an employee. This is partly because companies don't want to talk about that as much, it's a lot easier to talk about Russia and China than it is your own employees sending files out. And as a result there just isn't that much visibility on how big that risk is and really how people get files out. But they do know that a greater amount of data breaches involve someone on the inside.

Dave Bittner: [00:05:48:14] And is it the situation where, by the time we get to data exfiltration, you've already had a bunch of things go wrong?

Mike McKee: [00:05:54:18] Yes and no, I mean there's the two sides of the camp. There's the malicious actor and then there's the uninformed actor. It's our belief actually that there are a lot of earlier warning signals to both of those folks. If you do have good visibility and you do have good detection you'll see all the early warning signals - we always use the expression, you see the smoke before the fire - and stop bad things from getting out of control or getting really hurtful to the organization.

Dave Bittner: [00:06:21:07] And so what kind of early warning signals are you talking about?

Mike McKee: [00:06:25:13] I mean there's some basic things, whether it's printing files after hours, going to cloud file sharing services, elevating privileges, sending out large documents, downloading certain applications from the Web. Quite often you'll see those early warning signs pretty early.

Dave Bittner: [00:06:44:06] What about shadow IT where folks are just looking to get their work done, they feel like IT is telling them no. So they find workarounds and that's where you end up with the security problem.

Mike McKee: [00:06:55:11] I will use another example of myself, I often say it when I'm at conferences and I pull out my USB drive and I madly fix the presentation on the way to the conference and I copy it to my USB disc, I then plug that into the laptop where the conference presenter is and then later I plug it back into my computer. Which is not a very security conscious move. And our security folks here have told me that. But to your point, you just want to get your job done. And you see the same thing with cloud file sharing services you see the same thing with Gmail. I mean sometimes you get sent a large file to your Gmail, easier than you can a corporate Outlook system. One thing that we try to do is identify the barriers to people getting their work that are causing them to go outside the rules or outside the security policies because sometimes those can be an easy fix for an organization. Such that their employees don't have to go outside the rules to get their job done.

Dave Bittner: [00:07:49:16] So in your mind how much of the solution to these sorts of things are a technology thing and how much of it is a person to person educational type of thing.

Mike McKee: [00:07:58:23] I always say it's people, process, technology in that order, which is sort of weird for a technology vendor to say. But, on the people side it's, it used to be the case that you wanted to know where your critical assets were, on the people side now, it's knowing who those high risk users are, who are those people that have access to very valuable information and may be in a position to extend that information out. So it's very important to have education to your point, it's very important to have processes. I always say insider threat is a team sport because you're dealing with people, not with machines and as a result, you have to have good processes between HR and legal, IT and infotech, and then obviously technology can help you along the way.

Mike McKee: [00:08:41:03] But technology by itself isn't going to be the silver bullet. If you don't have a lot of education and a lot of buy-in organizationally, and people know what's happening and know what they're allowed to do and not allowed to do as well as processes, forward things start to go wrong. And then it all starts with visibility and that you can have a fancy artificial intelligence or machine learning or heuristics or whatever the word of the day is. But, it's only as good as the data that you have and that data needs to give you a very comprehensive view around what people are doing as well as alerts that give you early indication when they're doing something outside of the policies.

Dave Bittner: [00:09:21:05] That's Mike McKee, he's the CEO of ObserveIT.

Dave Bittner: [00:09:26:11] Panera Bread is receiving poor reviews for the security of its online ordering system in the wake of the data breach disclosed yesterday by KrebsOnSecurity. Lost data includes customer names, their email and physical addresses, their birthdays and the last four digits of their credit card numbers. Millions of customers who ordered food online from panerabread.com are potentially affected, but the company has told Reuters that not only is the issue resolved, but that Panera has concluded that less than ten thousand customers were potentially affected.

Dave Bittner: [00:09:59:11] Panera was, according to Graham Cluley who has an account on Bitdefender's HOT for Security site, notified of the problem back in August by researcher Dylan Hoilihan, but were slow to either believe his disclosure or take action. The company's site was still experiencing problems as recently as yesterday, and the true number of customers whose data may have been lost seems to most observers likely to be significantly higher than Panera's estimated ceiling of 10,000.

Dave Bittner: [00:10:28:10] Energy Transfer Partners, a major US natural gas pipeline operator, announced Monday that its operations were being affected by a cyberattack against its electronic data interchange. The interchange, which expedites shipping and billing to customers by machine-to-machine document transfers, is a third-party system provided by Energy Services Group LLC. There's been no attribution; investigation and remediation are continuing. It's worth noting that the attack affects IT systems and not (insofar as is known) OT systems. Energy Transfer Partners says operations will continue during remediation.

Dave Bittner: [00:11:08:19] The attack, which appears to be the work of criminals and not state espionage services, has reminded many of recent US Government warnings that Russian cyber operators are conducting apparent battlespace preparation of US infrastructure. Phil Neray, VP of Industrial Cybersecurity at Boston-based CyberX, realizes that, while this isn't the grid-killing attack so many people fear, it's a disturbing harbinger of what may come.

Dave Bittner: [00:11:35:04] Neary said, "The FBI/DHS alert makes it clear that our critical infrastructure is in the cross-hairs of our adversaries. This looks like a financially-motivated cyberattack, likely by cybercriminals, but we've seen in the past that cybercriminals often collaborate with nation-states and share hacking tools with each other. It's easy to imagine a ransomware attack that uses nation-state tools to hijack ICS/SCADA systems and hold the pipeline hostage for millions of dollars per day."

Dave Bittner: [00:12:07:05] It's natural that such thoughts should turn to Russia during this period of heightened tensions recently made worse by Russia's attempted assassination by nerve agent of Sergei Skripal, a former GRU officer who spied on behalf of Britain's MI6, and Skripal's daughter Yulia in Salisbury, England. There have been no further diplomatic expulsions over the episode, but Russian Foreign Minister Lavrov for his part thinks US-Russian relations are worse than they were during the Cold War. The US and UK in particular have lost, Mr. Lavrov says, the sense of decency they once possessed, and are now engaged in full-on disinformation. Other Russian officials complain of the West backing Russia into a corner. The Russian line concerning the Salisbury attack has been that it was an Anglo-American provocation, and that Russia should be provided with evidence showing that Moscow was involved.

Dave Bittner: [00:13:02:14] US President Trump has been in conversations with French President Macron and German Chancellor Merkel concerning a coordinated response to Russian actions in the UK and elsewhere. New US National Security Advisor Bolton is said to favor a hard line against Russian cyber operations in particular, urging that the US undertake cyber reprisals that would be, as Bolton put it, "disproportionate."

Dave Bittner: [00:13:28:01] One espionage case is unusual in that both the Russians and the Americans want the same man. FSB officer Dmitri Dokuchaev agreed to plead "partially guilty" in a Russian court to sharing information with a foreign intelligence service, presumably an American one. Dokuchaev is in trouble with both sides of this spy-vs.-spy squabble: the FBI also wants him in connection with the Yahoo! Breach. They've got him on a wanted poster and everything.

Dave Bittner: [00:13:57:22] Finally, class action lawsuits in the Facebook and Cambridge Analytica data scandal continue to accumulate. The latest one has been filed in the US District Court for the Southern District of New York, alleging “blatant disregard and misuse of sensitive, personal data." There will surely be more like this to come.

Dave Bittner: [00:14:20:23] Now I'd like to share some words about our sponsor Akamai. You've heard of the zero trust security model, well Akamai is the expert in deploying zero trust architectures to address the evolving security threats you face every day That's because they're also the cloud experts, Akamai's approach to security was built for the cloud because it was born in the cloud. In the age of zero trust networks the enterprise network is no longer the perimeter, the entire cloud is the perimeter, with no inside or outside and the threats can come from anywhere and anyone at any time. Akamai's zero trust security model accelerates secure digital transformation, protecting your business and enabling growth. Visit akamai.com/zerotrust to learn more, that's akamai.com/zerotrust and if you're going to RSA this year stop by and say hi to me and the CyberWire team at the Akamai booth North Hall booth 3625, we hope to see you there, and we thank Akamai for sponsoring our show.

Dave Bittner: [00:15:31:12] And joining me once again is Jonathan Katz he's a professor of computer science at the University of Maryland and also director of the Maryland Cyber Security Center. Jonathan, welcome back. I saw a story come by and it was talking about isogeny-based post quantum crypto and you and I have sort of joked about how you throw the word quantum, into anything cryptography-related and people's ears prick up. But isogeny-based crypto is something that I'm unfamiliar with can you explain to us what are we talking about here?

Jonathan Katz: [00:16:00:20] Well, let me first of all set a little bit of the context. Many of the listeners might know that there is a big concern now about the possible advent of quantum computers which would basically be able to break all the public key cryptography that we're currently using on the Internet. So people in general are now actively trying to design what are called post-quantum crypto systems that will remain secure even against a quantum computer. In fact NIST the National Institute of Standards and Technology is currently running a public competition to try to vet some algorithms that would have this post quantum, security. So isogeny based cryptography is basically one of these methods that people are proposing. It's a new method, not something that is currently deployed or that is currently in use, but it's something that people believe might have a chance of being resistant even to quantum computers.

Dave Bittner: [00:16:48:02] Can you share some of the details, without getting too in the weeds mathematically?

Jonathan Katz: [00:16:53:21] Well I can try. At a high level actually, it's very similar to the Diffie-Hellman key exchange, if people are familiar with that concept. Where basically you have two users, each with their own secret. And based on their own secret and some public information, they are able to compute a shared key. So it's the same underlying idea here, but the biggest difference is that rather than working a kind of regular group, what's called an abelian group, they're using a more mathematical structure. And the reason for that is because quantum computers are actually able to solve the hard computational problem on abelian groups but they're not able to solve it on these systems based on these isogenies.

Dave Bittner: [00:17:36:19] So they're taking advantage of a thing the quantum computers aren't as good at?

Jonathan Katz: [00:17:44:05] Exactly, they are taking advantage of a hard computational problem, based on elliptic curves. Although I want to stress that it's different from the elliptic curve cryptography that's already in use. But it's a problem based on elliptic curves and that problem we currently don't know how to solve on a quantum computer or on a classical computer efficiently, so it seems like a promising potential candidate for quantum resistant cryptography.

Dave Bittner: [00:18:07:12] And where are we along with this are we still just in the research stage or is this something that we'll see anytime soon?

Jonathan Katz: [00:18:11:05] Definitely in the research stage, actually I was looking earlier today, because like I said NIST is running this public competition and you can go online and take a look actually at all the algorithms that have been submitted and it looks like there has only been one algorithm submitted based on isogenies. Whereas there are some other techniques for example lattices, that have a lot more submissions based on those techniques. So it looks like people are still very unsure about how these isogeny-based cryptic systems are going to play out and what kind of security they can get but it's definitely an interesting area of research.

Dave Bittner: [00:18:46:05] Jonathan Katz, thanks for joining us.

Jonathan Katz: [00:18:48:18] Thank you.

Dave Bittner: [00:18:53:12] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor VMware, creators of Work Space ONE intelligence, learn more at vmware.com. The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media with Editor, John Petrik, Social Media Editor, Jennifer Eiben, Technical Editor, Chris Russell, Executive Editor, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.

Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Supported by:
ThreatConnect

With ThreatConnect, security analysts can simultaneously coordinate with incident response, security operations and risk management teams while aggregating data from trusted communities. Your team will be better equipped to protect the organization from modern cyber threats, mitigate risk and address strategic business needs all thorough a single, robust platform. Start Using ThreatConnect Today for Free.

Akamai

Akamai is the global leader in Content Delivery Network (CDN) services, making the Internet fast, reliable and secure for its customers. The company's advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere.  Learn more at akamai.com.

Subscribe to the CyberWire
Subscribe to the CyberWire Podcast: RSS Stitcher Google Play Music Castbox
Follow the CyberWire