The CyberWire Daily Podcast 3.2.17
Ep 297 | 3.2.17

Online banking funds transfer fraud. Telegram and phone scams. FCC regulatory update. Insider threats in the IC. And bad robots.

Transcript

Dave Bittner: [00:00:02:11] A criminal gang deploys sophisticated malware against remote banking system customers. Business email compromise continues to appear in the wild—be good to your proofreaders, CEOs. Telegram being used by phone scammers. FCC privacy and caller-ID blocking regulations are debated. A vulnerable WordPress plug-in found. And life sure was a lot easier before toys became part of the IoT.

Dave Bittner: [00:00:28:21] Time for a message from our sponsor, Netsparker. Are you still scanning with labor intensive tools that generate more false positives than real alerts? Let Netsparker show you how you can save time, save money and improve security with their automated solution. How many sites do you visit and therefore scan that are password protected? With most other security products you've got to record a login macro, but not with Netsparker. Just specify the user name, the password and the URL of the login page and the scanner will figure out everything else. Visit netsparker.com to learn more and if you'd like to try it for yourself you can do that too, go to netsparker.com/cyberwire for a free 30 day fully functional trial of Netsparker desktop. Scan your websites and let Netsparker show you how easy it can be. That's netsparker.com/cyberwire, and we thank Netsparker for sponsoring our show.

Dave Bittner: [00:01:35:07] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Thursday, March 2nd, 2017.

Dave Bittner: [00:01:44:19] There's a bit of a crime wave in progress against Russian banking customers. The remote banking system is reported to be under attack (again) by the RTM gang, which operates a phased campaign: backdoor, compromise, reconnaissance, data exfiltration, and theft of funds. Their attacks focus on online banking, but the campaign is directed against business customers as opposed to the banks themselves.

Dave Bittner: [00:02:09:03] RTM malware inspects drives and browsers in affected systems for indications of remote banking activity. It's particularly alert for a particular accounting software package, "1C: Enterprise 8." The malware then finds and alters an export file that contains bulk transfer details related to remote banking system payment orders, and this is how they make their profit.

Dave Bittner: [00:02:32:16] The Bratislava, Slovakia-based, security firm ESET, who's been tracking RTM for some time, finds their modus operandi reminiscent of Buhtrap, but believes the two gangs are unrelated. Their methods of infection are different. Buhtrap relied (and relies) on spearphishing, whereas RTM uses a variety of vectors, including spam and drive-by downloads. Most of the victims have been in Russia, but there are reports of smaller infestations in Germany, Kazakhstan, the Czech Republic, and Ukraine.

Dave Bittner: [00:03:03:17] This is a relatively advanced campaign showing some technical sophistication. But other, less tech-savvy forms of fraud remain endemic. The SANS Institute's Internet Storm Center has a report on another classic case of business email compromise, the kind in which a spoofed email that purports to be from a company's CEO or other responsible officer instructs finance, payroll, or some other corporate office to transfer a large sum of money to a criminal account. As so often happens, these bogus instructions succeed in bypassing email screening systems. In this case, the unnamed company benefited from alert proof-reading, so copy editors may be your last line of defense.

Dave Bittner: [00:03:45:11] Trustwave reports finding a "remotely exploitable issue in the Telnet administrative interface" of various DBLTek devices: a flawed proprietary challenge-and-response authentication system could give an attacker root access to a device.

Dave Bittner: [00:04:02:10] ThreatGeek describes how the privacy-friendly messaging app Telegram is being exploited by phone scammers. Messaging apps are becoming more popular with scammers as a way of evading do-not-call rules. If a scammer already has a phone number in their contact list, Telegram will tell them if that number is associated with a Telegram account. Once they have you on Telegram, they're off to the all-too familiar races, offering non-existent government benefits, discount siding, sure-fire penny stocks, the opportunity to perform good deeds for Nigerian royal widows, and so on.

Dave Bittner: [00:04:38:01] There are other issues of phone privacy and the regulation thereof under discussion in the US. The FCC, as expected, has voted to back away from privacy rules the broadband industry argued were unfairly burdensome. And in response to a series of bomb threats, some Senators (notably Charles Schumer, a Democrat from New York, are asking the FCC to grant Jewish Community Centers permission to bypass caller-ID blocking.

Dave Bittner: [00:05:04:12] Sucuri researchers report finding an SQL injection vulnerability in the NextGEN Gallery WordPress plug-in. Sources believe it could affect in excess of a million websites. NextGEN Gallery is a picture-handling plug-in widely used on WordPress sites.

Dave Bittner: [00:05:15:13] A term that gets thrown around a lot is the notion of data being weaponized. Weapons come in all shapes and sizes from peashooters to death stars, so for some clarification we checked in with Tony Gauda, CEO of security provider ThinAir.

Tony Gauda: [00:05:38:05] Even the choice of words which is, "weaponizing data", the question is can it be used in a defensive or an offensive posture but in most cases it's being used in a way that, whoever it's being used against, normally wouldn't act in that way. So you're using it as a leverage in some shape or form.

Dave Bittner: [00:05:56:13] Can you give us some examples of where data has been weaponized against someone?

Tony Gauda: [00:06:00:22] Yes. Anytime that you have cryptolocker that exists within an organization. If the cryptolocker will then go and encrypt a document and refuse to release the keys, that organization will then pay money in the form of a ransom. So they're using the data as a weapon against the organization itself. In other cases, it can be used in a blackmail scenario where you've got all different types of espionage utilities that exist on personal cell phones that collect all types of damaging personal information, then if you don't react in the way that the blackmailer expects then you risk that personal exposure. Therefore, I think there's tons of scenarios where that exists.

Dave Bittner: [00:06:42:09] So in terms of people protecting themselves against this sort of thing, what kinds of options do they have?

Tony Gauda: [00:06:48:24] Yes, I think it really depends on the threat but I think the first thing is that most people don't have any visibility or an inventory of where all the sensitive information is with their organization. So you can't protect what you can't see. Traditionally large companies and even people, they just don't know how exposed they are. So I think starting with that is a pretty big deal. For instance, when the DNC servers were hacked, there was this huge cache on the servers themselves of all this information and there was a huge cache of sensitive information that existed on people's end points. So knowing that it's there, you could have been taking protective measures or defensive measures to protect the information as it sat. I think that's the first thing you need to do.

Tony Gauda: [00:07:31:00] But then also recording activity that occurs against that information. So today, if you think about all the physical things that we do with are the things that we care most about. So if you go into a warehouse, there is an inventory of all the physical things that exist within a warehouse. There's a camera that sits in the corner and watches what people physically do with all the items inside a warehouse and then there are guards posted outside. So you have this well-defined, very thoughtful security posture when it comes to the physical assets. However, when it comes to digital information there is a much less well-defined, a much less rigid or a much less thoughtful security posture. So you don't have an inventory of whoever touches information. You don't have what we like to call an information chain of custody, you don't know what people know, you don't know what people have seen and you don't have any recording technologies around information. So facts just like taking screen-shots of what people have on their desktop or keystroke, recordings of what they actually type with some attribution of information - how it's being used throughout the organization. You don't have that capability and that's actually something that we think is the future of data security, is that particular type of posture which is what we actually build.

Dave Bittner: [00:08:48:11] That's Tony Gauda from ThinAir.

Dave Bittner: [00:08:52:07] There is some patch news this week, some of it coming from within the security sector itself. Zscaler has patched a cross-site scripting bug in its admin portal. Rapid7 discloses eight vulnerabilities in its products and issues either patches or mitigations for them. Slack has fixed a cross-origin token-theft vulnerability in its popular cloud-based collaboration tool.

Dave Bittner: [00:09:13:22] And finally, really, we're officially creeped out by the connected toys and household robots. As CloudPets files its surveillance-stuffed-animal breach notification with the California Attorney General, security company IOActive reports on the general state of robot security, and the state of the robots is not good. It's not that the robots are necessarily as leaky as Teddy bears; it's more that the robots are easily hackable. And since Microsoft has shown that AI can now code, where is all this heading? All in all we were much happier when the toys you had to worry about were things like Lawn Darts.

Dave Bittner: [00:09:55:19] Today our show is sponsored by Palo Alto Networks, you can learn more about them at go.paloaltonetworks.com/secureclouds. Cloud security isn't your public cloud provider's sole responsibility, it's a shared responsibility and while public clouds tend to do a good job of securing their cloud infrastructure, you still need to protect your apps and data wherever the may be. Next generation cloud security gives you the complete visibility you need to control your apps and reduce your threat surface from the network to the cloud. Palo Alto Networks has the broadest most comprehensive cyber security for all clouds and software as a service environments, because secure clouds are happy clouds. Put their security to work for you. Get started at go.paloaltonetworks.com/secureclouds. And we thank Palo Alto Networks for sponsoring our show.

Dave Bittner: [00:10:53:23] Joining me once again is Markus Rauschecker. He's the Cyber Security Program Manager at the University of Maryland Center for Health and Homeland Security. Markus, we saw a story come by on the Next City website and it was called "what plugged in cities mean for personal privacy". We've certainly got this move towards cities becoming smart cities and that could have some privacy implications for people?

Markus Rauschecker: [00:11:18:20] Oh, absolutely. In general we've seen that, especially in the private sector, companies are collecting a lot of information about their customers. They use that information and then monetize it, because all that information can be very powerful when put together. I think the government and municipalities have certainly caught onto this as well, that as they collect information that can be used in a lot of ways, a lot of beneficial ways but, of course, it also raises privacy concerns among citizens.

Dave Bittner: [00:11:50:00] The cities are saying there are some useful ways for the greater good. For example using this to help fight crime?

Markus Rauschecker: [00:11:58:06] Yes, absolutely. There's been a big push in a lot of municipalities for the use of big data to fight crime and algorithms can be used, using all its various data that's been collected to really predict crime and where it might happen. So it's fascinating to see how effective this actually is infighting crime, because cities and police departments are now able to really predict with great accuracy where crimes might take place and they can send police officers to those areas and actually prevent those crimes or find the criminals really quickly. So that certainly has a big benefit for the greater good in that regard. At the same time, this kind of predictive policing and other uses of big data by cities and towns has raised concerns about privacy. Opponents say that some of this predictive crime fighting and other uses of data certainly has an effect on people's privacy, their expectations of privacy. A lot of information can be deduced about individuals using this data. They use data sets so there is concern there and then, when it comes to predictive policing, there's certainly some out there who say that this can disproportionately affect certain geographical areas or certain populations and that there's a danger in this almost blind reliance on big data to do the policing or other activities when the human aspect is really then secondary. There's also this concern that a lot of information that, perhaps, seems to be anonymous can be plugged together, can be put together, can be connected using algorithms and data analytics and certain things can be deduced and identities can be revealed through that analysis and certainly that's very concerning when we want to make sure that certain data is protected and sensitive. We don't necessarily want to be able to deduce these things just because we have these massive data sets.

Dave Bittner: [00:14:09:24] Markus Rauschecker, thank you for joining us.

Dave Bittner: [00:14:12:17] And that's the CyberWire. Thanks to all of our sponsors who make the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can protect you from cyber threats visit cylance.com

Dave Bittner: [00:14:24:21] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe and I'm Dave Bittner. Thank you for listening.