The CyberWire Daily Podcast 7.26.18
Ep 649 | 7.26.18

LifeLock closes proof-of-concept hole. US-CERT warns of active campaigns against ERP applications. Ad blockers may function as spyware. Parasite HTTP RAT. Underminer EK. NSA's IG scowls.

Transcript

Dave Bittner: [00:00:03] LifeLock gets locked down. Probably no harm done - maybe. US-CERT warns of active campaigns against ERP applications. Ad blockers may be doubling as spyware. A new RAT gnaws away at corporate HR departments. Underminer shows that exploit kits aren't obsolete after all. NSA gets a bad report from its IG. Congress worries over Russian infrastructure reconnaissance and influence operations. And Iran's OilRig and Leafminer remain active regional threats.

Dave Bittner: [00:00:40] Now I'd like to share some words about our sponsor Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all image or anthropomorphized incredibly. There's a serious reality under the hype. But it can be difficult to see through to it, as the experts at Cylance will tell you. AI isn't a self-aware Skynet ready to send in the Terminator. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com. And check out the report "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at The CyberWire. And we thank Cylance for sponsoring our show. Major funding for The CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:40] From The CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 26, 2018. Here's an alert for consumers. One of the better-known identity protection companies, LifeLock, has fixed a problem with its systems that enabled any interested party to browse and index customer email addresses to customer accounts. It would have been possible for an attacker to unsubscribe customers from LifeLock communications. More seriously, it could have facilitated spoofing millions of LifeLock customers with phishing emails purporting to come from LifeLock.

Dave Bittner: [00:02:17] Symantec, which owns LifeLock, issued a statement this morning, in response to coverage of the proof of concept by Krebs on Security, that should put customers a bit at ease. Quote, "this issue was not a vulnerability in the LifeLock member portal. The issue has been fixed and was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails. Based on our investigation, aside from the 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page," end quote.

Dave Bittner: [00:02:58] The U.S. Department of Homeland Security's US-CERT has warned businesses that hackers are actively targeting SAP and Oracle enterprise resource planning applications. Those are ERP applications. SAP and Oracle are the market leaders in this important segment. Their products are widely used across many business sectors. The warning from US-CERT was prompted by release of research by ERP security specialist firm Onapsis and risk management firm Digital Shadows. ERP applications are especially attractive to hackers because of the sensitivity of the data they handle and store - business intelligence, customer relations, asset life cycle management data, supply chain information and human resources data. There are hundreds of thousands of ERP implementations worldwide. And the researchers note that what they call an astounding number of those implementations are insecure.

Dave Bittner: [00:03:55] According to Onapsis and Digital Shadows, there's been a dramatic rise in attacks detected and also a spike in dark web chatter related to ERP vulnerabilities. The criminal markets operating in the dark web appear to be doing a brisk trade in ERP exploits, particularly exploits for SAP HANA. The attackers represent the full mix of usual suspects - criminals, hacktivists, hobbyists in it for the voyeuristic LOLs and, of course, national espionage services. The researchers have identified nine campaigns mounted against ERP applications by recognizable hacktivist groups.

Dave Bittner: [00:04:33] The criminal attention comes to a significant extent from Russian-speaking organized crime groups - Russians giving digital-age gangland the stereotypical ethnic tone associated with Italian organized crime provided during the U.S. Prohibition era. Linguistic note - the Russian word for Mafiosi is Mafiosi. And who saw that one coming? It's easy for enterprises to overlook ERP application security. The applications themselves, for one thing, typically reside behind an enterprise firewall. And it's possible, therefore, to be lulled into giving application-layer security a somewhat lower priority - assuming that the firewall is taking care of business. But ERP applications, especially post-cloud migration, present a large and attractive attack surface. And enterprises would do well to devote some attention to application-layer security, the research says.

Dave Bittner: [00:05:30] Does your organization's marketing department use social media icons on your website to help promote their presence on places like Twitter, Facebook or LinkedIn? Well, researchers at security company SiteLock discovered that having those seemingly harmless buttons on your site doubles the likelihood that the site will be infected with malware. Jessica Ortega is product marketing specialist at SiteLock.

Jessica Ortega: [00:05:54] We're talking about the icons that you put on your website that allow your visitors to go to your social media pages. So this would be like your Twitter button, your Facebook button, your Instagram feed - anything that would connect your users from your website to your social media presence.

Dave Bittner: [00:06:13] And these are certainly, I would say, fairly ubiquitous at this point. So what is the risk here? Why do folks who have these buttons here find themselves more likely to be attacked?

Jessica Ortega: [00:06:22] So there's a couple of different risks. The first is that is that a lot of times, cybercriminals will use social media as a way to scan for business websites. So they'll go onto Facebook or Twitter, and they will build these bot programs that scan for and collect lists of URLs. So they'll go, and they'll look for anything that starts with the www or ends with .com, .net, and they'll build a list, and they'll use other automated programs to attack those sites based on that list. And then the second kind of layer of that is if you're using an application, like say Joomla or WordPress, and you're using plug-ins or add-ons to connect to those social media sites, those plug-ins may have vulnerabilities in them that could allow attackers to access like the back end of your website.

Dave Bittner: [00:07:13] So it's not necessarily a vulnerability in the functionality of the buttons of themselves; it's that, I guess, having them there makes you more likely to be a target for some sort of automated scanning.

Jessica Ortega: [00:07:26] Right. It's not necessarily the functionality of the button so much as it is the functionality of the plug-in or add-on that puts those buttons there. And then the more popular you are on social media, the more attention that you may derive, and that may make you a target for these cybercriminals who are using automated programs to, say, look for somebody who has a million followers so that they can hack them because they know that their website likely gets a lot of traffic.

Dave Bittner: [00:07:55] Now, obviously, having these buttons on your website has an upside - to channel people to your social media presence. So what do you recommend in terms of protecting yourself or minimizing the possibility of these being a target?

Jessica Ortega: [00:08:08] Yeah, absolutely. We would never go out and say that you shouldn't have a social media presence. I mean, having a Facebook business page or a Twitter handle is almost a requirement now if you have your own business or your own startup. So it does definitely allow you to engage with your users, and it is positive. But what we recommend is, for the first layer, always make sure that you're using two-factor authentication on your social media handles, that you're only listing the business information that needs to be available. So you're not sharing those posts that have, you know, surveys on them - like, what was the name of your first dog or your mother's maiden name, that kind of thing - because those do often get harvested to be used in cyberattacks. And then on the website side, if you're using plug-ins or add-ons to make those buttons or make those features available on your website, you should always make sure that you're going in periodically, at least once a month, and updating those plug-ins as security updates are released.

Dave Bittner: [00:09:08] That's Jessica Ortega from SiteLock. Jessica is also the co-host of the "Decoding Security" podcast. Check it out. It's worth a listen.

Dave Bittner: [00:09:19] Android ad blockers may be a bit too nosy for comfort. Researchers at the firm AdGuard have taken a look at some of the more commonly used ad-blocking extensions for Chrome. And they've noticed that they collect and report a good bit of information about the user's browser history back to the app's controllers. The family of extensions AdGuard cites as amounting to potential spyware are produced, AdGuard says, by a company called Big Star Labs - apparently incorporated in the U.S. state of Delaware but doing business who knows where.

Dave Bittner: [00:09:52] Proofpoint this morning announced its discovery of a new remote-access Trojan being traded in criminal markets. They're calling the RAT Parasite HTTP, and they say it's noteworthy for a big bag of evasive tricks, including sandbox detection, anti-debugging capability, anti-emulation measures and so on. It's also modular, which enables the hoods who control it to add functionality once it's installed. Parasite HTTP spreads by phishing. It's delivered as a malicious attachment to an email directed to various human resources-related distribution lists - usually good guesses at what names those lists might have, HR at a domain, recruiting at a domain, accessibility, resumes, that sort of thing. So far, Proofpoint has seen Parasite HTTP in a single campaign directed at the IT, health care and retail sectors. But any business would do well to remind its employees that not all proffered resumes or CVs, typical phish bait used in the campaign, are what they seem.

Dave Bittner: [00:10:57] TrendLabs is tracking Underminer, a cryptojacking bootkit with an encrypted TCP tunnel. It infects its victims with a bootkit and also a cryptojacker called Hidden Mellifera. The kit transfers its malware over an encrypted TCP tunnel and packages its payloads in a customized format. TrendLabs says the format is similar to RAM file system format, and that makes them resistant to analysis. One lesson Trend Micro thinks the activity holds is that exploit kits may have fallen somewhat out of fashion, but they're by no means gone.

Dave Bittner: [00:11:33] The U.S. National Security Agency has received a starchy report from its inspector general. The NSA IG found that the agency's analysts performed searches under NSA's Foreign Intelligence Surveillance Act authority that were non-compliant. The problem seems to involve, for the most part, fumbling of complex safeguards. The IG cites, quote, "human error, incomplete understanding of the rules and gaps in guidance," end quote, as the causes of the lapses. But the report is an uncomfortable one, by no means a letter of recommendation.

Dave Bittner: [00:12:08] As U.S. congressional and other attention continues to be lavished on the threat that Russia poses, by general consensus and specific evidence to both infrastructure and elections, security firms warn of an increase in cyberactivity emerging from Iran. Palo Alto Networks repeats its warning of the OilRig campaign against the energy sector. Symantec notes that the Leafminer group, also thought associated with Tehran, represents a rising threat - still stumbling but eager to learn and clearly on its way up. Iran's recent cyberactivity has focused on regional rivals and associated targets, but this seems a matter of strategic decision and not necessarily a sign of limited capability. And finally, the U.S. Congress intends to invite tech industry leaders back to Capitol Hill to testify about what they can or should or might do to fight election influence operations. The companies so far invited will surprise no one. They are Facebook, Google and Twitter.

Dave Bittner: [00:13:14] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's White Paper, on a comprehensive approach to security across the digital workspace, will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMware for sponsoring our show.

Dave Bittner: [00:14:15] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host on the "Hacking Humans" podcast. We had an interesting story come by from Help Net Security. It's titled "Many Infosec Professionals Reuse Passwords Across Multiple Accounts." Something you and I have spoken about many times is passwords and password managers. Is this do as I say, not as I do?

Joe Carrigan: [00:14:40] It sounds like it. If - I'd like to see more granularity on this report. It says about 45 percent of them use it. So let's take a couple of websites, for example. Like, let's say I'm going to log on to something. I just need some information to get something. And they're going to say, we need you to log in and create an account in order to get this information. Well, guess what? You're not getting top-notch security. I don't really care if this account gets breached. I'm not even going to ever log into it again.

Dave Bittner: [00:15:06] So you're going to have a throwaway password you may use for that.

Joe Carrigan: [00:15:10] Maybe I'll use a throwaway password.

Dave Bittner: [00:15:11] You're not going to fire up your password manager and waste a 100-digit long...

Joe Carrigan: [00:15:16] No, exactly. Right.

Dave Bittner: [00:15:18] ...Random thing on that password or on that site. OK.

Joe Carrigan: [00:15:21] Yeah, but - I mean, but that doesn't mean that I don't use a password manager for every single one of my sites that does matter to me. Like, my - every email account that I have has its own individual password. And they're long, and they're complicated. Every financial website I access, same thing - everything that is of consequence. It's a risk determination of mitigating of - the likelihood, which I consider to be a very high likelihood that some site's going to be breached, right? But then I have to consider also the impact of that site being breached.

Dave Bittner: [00:15:53] Right.

Joe Carrigan: [00:15:54] Like, for example, I recently was on TrueCar and created an account with a disposable email address. Do you think I care about that password if I'm checking the price of a car I'm looking at? No, I don't care.

Dave Bittner: [00:16:06] (Laughter).

Joe Carrigan: [00:16:06] (Laughter) It doesn't matter.

Dave Bittner: [00:16:07] Yeah. Yeah, I have to say, you know, before I used a password manager, I was certainly guilty of this...

Joe Carrigan: [00:16:13] Right. No, I was too.

Dave Bittner: [00:16:13] ...For the reason - yeah, the reason everybody, you know, says. It's easier to reuse or cycle through what are now easily guessable variations of password bases, (laughter) right?

Joe Carrigan: [00:16:26] Right, there - yeah, there's that paper from Virginia Tech we talked about a while ago - I think that was on the "Hacking Humans" podcast - where they said, if you change your existing passwords minor - you know, in a minor fashion, then if I know one of your passwords, I can guess another one of your passwords in less than 10 guesses.

Dave Bittner: [00:16:43] Right.

Joe Carrigan: [00:16:44] You know, so you shouldn't be protecting your accounts for things like bank accounts or even Netflix. You shouldn't be protecting a Netflix account because if somebody gets into your Netflix account, that actually becomes a denial of service problem for you.

Dave Bittner: [00:16:57] And it's interesting. The survey also found that 20 percent of security pros had used unprotected public Wi-Fi. What do you - what's your take on that?

Joe Carrigan: [00:17:06] Generally...

Dave Bittner: [00:17:06] That seems - actually seems low to me.

Joe Carrigan: [00:17:08] Yeah. That - generally, I - first off, yeah, I think it is low. I have connected to unprotected Wi-Fi, but I always use a VPN when I do so that I know that the connection is secure between me and the VPN.

Dave Bittner: [00:17:21] Even from your mobile device?

Joe Carrigan: [00:17:23] Even from my mobile device, yes.

Dave Bittner: [00:17:24] OK.

Joe Carrigan: [00:17:25] Actually, for my mobile device, I have unlimited data, so I generally don't even connect to my home Wi-Fi for that. I just use the - I use the mobile Wi-Fi network or the mobile data network. Sometimes when I travel, I do wind up in places where I'm not connected to a secure site. So I do have to use a - like just last weekend, I was at a place where they have an open Wi-Fi. And I don't have a lot of data access, so from time to time, I would have to connect to that network. And yes, I turned on my VPN, which I pay for. If you get a (laughter) VPN, make sure you're paying for it because like Tim Cook says, if you're not paying for it, you're the product.

Dave Bittner: [00:18:00] (Laughter) Right. Right.

Joe Carrigan: [00:18:01] The product I purchase allows me to use the VPN from up to five devices, I think.

Dave Bittner: [00:18:05] Oh, I see.

Joe Carrigan: [00:18:05] So my phone is one of them.

Dave Bittner: [00:18:07] Right. So remember, don't just talk the talk. Walk the walk.

Joe Carrigan: [00:18:11] Great job, brother.

Dave Bittner: [00:18:12] (Laughter) That's right. All right. Joe, as always, thanks for joining me.

Joe Carrigan: [00:18:14] It was my pleasure, Dave.

Dave Bittner: [00:18:20] And that's The CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.

Dave Bittner: [00:18:28] Thanks to all of our sponsors for making The CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at The CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.

Dave Bittner: [00:18:55] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.