The CyberWire Daily Podcast 2.11.16

John Petrik: [00:00:03:15] Taxpayers are targeted by cyber criminals during the run up to April 15th. Bogus Android security apps target users in China. A new ransomware variant appears. More on the doxing of the FBI and Department of Homeland Security. There's a new approach to installing paycard skimmers. Anonymous hits three new targets. Vigilantes go after LizardSquad. And a toymaker hides behind its terms and conditions.

Dave Bittner: [00:00:29:17] This CyberWire podcast is made possible by the Johns Hopkins University Information Security Institute providing the technical foundation and knowledge needed to meet our nation's growing demand for highly skilled professionals in the field of information security, assurance and privacy. Learn more online at isi.jhu.edu.

John Petrik: [00:00:52:12] This is John Petrik, the CyberWire's editor, in Baltimore filling in for Dave Bittner with your CyberWire daily podcast for Thursday, February 11th, 2016.

John Petrik: [00:01:02:01] Tax issues headline recent cyber threat news. In the US, the Internal Revenue Service reports that somewhat more than 100,000 taxpayers' e-file credentials have been the targets of an attempted compromise. The incident, the IRS says, was an automated attack on its Electronic Filing PIN application. The Service says it detected and contained the attack without any loss of personal data, and that it's notifying taxpayers whose e-file accounts were prospected by the attackers.

John Petrik: [00:01:30:07] Palo Alto Networks warns a tax-themed phishing email is distributing the NanoCore remote-access Trojan. NanoCore is a commodity bit of crimeware that was, according to Symantec researchers, first released in late 2013. It's hitherto been most often seen in attacks against energy sector targets.

John Petrik: [00:01:48:04] Cheap, easy to deploy, and appealing to opportunistic criminals, the RAT has been widely circulated since last year. NanoCore is modular, and Palo Alto summarizes its premium plugins' functionality in a list: keylogging and password “recovery”; “stress testing” or denial-of-service; downloading, execution, or other software installation; remote CLI and UI; registry editing; socks proxy; firewall modification; and finally, webcam and audio controls.

John Petrik: [00:02:18:14] It's worth noting that this campaign isn't confined to North America. Phishing emails have been observed in Western Europe and Asia as well. What's new here is what Palo Alto calls the installation of, quote, "full-featured RAT implants," unquote. What's not new is that it's phishing. As always, users should be on their guard against plausibly themed emails. When words like "Attention," "Urgent Attention," and "Your taxes" appear in a subject line, well, then, caveat lector.

John Petrik: [00:02:46:09] NCR warns that it's found some external card skimmers installed on NCR-built ATMs, and also on machines manufactured by Diebold. Many card skimmers, particularly those in use at gas pumps, are internally installed to swipe card info at the bezel. But this new breed attaches instead to network communication cables external to the ATM itself. NCR advises those installing ATMs not to leave these cables exposed. And Brian Krebs advises ATM users to move on to a different machine if something looks not quite right about the one they're about to use. He's got photos of compromised cables up on his blog.

John Petrik: [00:03:19:23] There's more patch news out today. SAP has patched a problem in its Manufacturing Integration and Intelligence industrial control system product. Cross-site scripting and missing authentication are among the likelier possible exploits foreclosed by the patch.

John Petrik: [00:03:33:15] Cisco has clapped a stopper over a buffer overflow vulnerability in its ASA Software. This flaw could be exploited for remote code execution. SANS reports there's active scanning for the vulnerability in the wild. It's a critical patch and administrators should apply it as soon as possible.

John Petrik: [00:03:50:03] Investigation into doxing at the US Departments of Justice and Homeland Security continues. It seems likely the attackers' point of entry was a compromised staffer account used to socially engineer an agency help desk. Those responsible, now going by the name "the DotGovs," and probably tweeting a bit too cheekily and often for their continued anonymity, have posted their take on CryptoBin, which according to Tripwire has since become much less accessible to searches.

Dave Bittner: [00:04:18:05] This CyberWire podcast is brought to you through the generous support of Betamore, an award-winning coworking space, incubator, and campus for technology and entrepreneurship located in the Federal Hill neighborhood of downtown Baltimore. Learn more at betamore.com.

John Petrik: [00:04:37:20] With doxing and tax fraud scams in the news, it's worth considering what's at risk if someone gets ahold of some crucial bit of personally identifying information, like a Social Security number. The CyberWire spoke to the Johns Hopkins University's Joe Carrigan about the implications of such a compromise.

Dave Bittner: [00:04:53:19] Joining me is Joe Carrigan from Johns Hopkins Information Security Institute, they're one of our academic and research partners. Joe, we talk a lot about securing our information and one of the best things you can do to secure your information is choose what information you want to share with someone.

Joe Carrigan: [00:05:07:22] Absolutely. That's 100 percent correct.

Dave Bittner: [00:05:10:08] So in a healthcare situation, very often I'll go and I'll visit a doctor and they'll ask me to give them my Social Security number. You say, "Not so fast."

Joe Carrigan: [00:05:20:03] Exactly. I never give them my social security number when, when they ask for it. They really don't need it to provide you the healthcare you need. I had an experience this past summer where my wife was in for a procedure. They asked for my Social Security number as the insured person, and I said, "No, I'm not giving you my Social Security number because you're a hospital and I know that-- I, I know what your, what your network's like."

Dave Bittner: [00:05:46:18] So you're saying hospitals don't ta-- you're saying hospitals have a, have a history of being insecure?

Joe Carrigan: [00:05:53:02] Yes. They-- there's a lot of, there's a lot of issues that are unique to healthcare and hospitals that, that make it so that that's not a place where I'm comfortable having my social security number stored.

Dave Bittner: [00:06:02:19] Okay.

Joe Carrigan: [00:06:03:04] Let's say it that way. So, you know, the, the person at check-in said, "This-- we're going to need this Social Security number in the event that there's some kind of mix up with the insurance company, and if you don't provide that to us that's going to be a bigger hassle to you down the road." I said, "I'll take the hassle now, I'll take that hassle because that's, that's a different hassle than trying to clean up an identity theft problem."

Dave Bittner: [00:06:25:23] Over the years the Social Security number has become a more important piece of information. You know, I remember back when I was in college our Social Security numbers were on our student ID cards. We-- it was everywhere and nobody really worried about it. Why, why have Social Security numbers become something to protect as of late?

Joe Carrigan: [00:06:43:10] You need four pieces of information to open a credit card in someone's name. You need their name, their address, their date of birth and their Social Security number. You think about when you were in college, when I was in college, in order to get that information from somebody I pretty much had to know them. The internet wasn't as open as it is now. We were using it but it wasn't what it is today, it wasn't as widespread. So your Social Security number was relatively private at that point in time. Now I can download thousands of people's Social Security numbers and not only their Social Security numbers but all their identifying information from some, some breach somewhere, and just wholesale just go around exploiting that information and stealing identities, opening bank accounts, and credit cards in other people's names.

Dave Bittner: [00:07:28:06] So it's really a matter of the ease at which all that vast amount of information can be accessible compared to how it used to be?

Joe Carrigan: [00:07:35:17] Exactly. Now we can get to that, that amount of information, huge amounts of information at very low cost.

Dave Bittner: [00:07:42:03] Alright, Joe Carrigan, thanks for joining us.

Joe Carrigan: [00:07:43:19] My pleasure.

John Petrik: [00:07:46:06] Anonymous is back, with some new but foreseeable target sets. Recognizing that there are greater threats to the commonweal than the civil servants of York County, Pennsylvania, the hacktivist collective goes after three new targets: North Korea, to protest the DPRK's presumably easily militarized satellite launch, Saudi Arabia, to protest various human rights issues, and to demand the Kingdom's exclusion from the Olympics until it makes progress in the way it treats its subjects, and South Africa, where a job portal is attacked to protest child labor practices.

John Petrik: [00:08:17:12] In other hacktivist news, White Team "vigilantes" struggle with LizardSquad, contesting control over a network of compromised home routers. In fairness to LizardSquad, characterizing that loose group as "hacktivist" is perhaps at this point misleading, given its steadily increasing participation in criminal black markets. According to Forbes, White Team, which is a bit less communicative than its opposition, says that it hasn't been in any particular trouble with law enforcement. But it's worth noting that, in many jurisdictions, including those in the US and the UK, such vigilante hacktivism is against the law.

John Petrik: [00:08:49:13] Finally, you may recall the hacking of toymaker VTech, and the attendant privacy issues to which its customers were exposed. Part of the company's response is apparently to have been to revise its terms and conditions of use. Security blogger Troy Hunt close reads these, and finds this text, down in section 7, where VTech addresses limitation of liability. And we quote.

John Petrik: [00:09:10:00] “You acknowledge and agree that any information you send or receive during your use of this site may not be secure and may be intercepted or later acquired by unauthorized parties.” Unquote.

John Petrik: [00:09:19:08] One somehow doubts that this hold-harmless clause would hold up under challenge, much less that it's an adequate approach to the security problems of networked toys.

John Petrik: [00:09:26:21] And that's the CyberWire for Thursday, February 11th, 2016. For links to all of today’s stories, along with interviews, our glossary, and more, visit thecyberwire.com. The CyberWire podcast is produced by CyberPoint International, and this is the editor, John Petrik. We'll welcome our regular host, Dave Bittner, when he returns next week. Until then, I'll be filling in.

John Petrik: [00:09:46:04] And another note to our listeners, we'll be taking Monday off in observance of Washington's birthday, but we'll be back as usual on Tuesday of next week. Thanks again for listening.