ISIS inspiration in exile. Facebook’s Sunday outage. A Microsoft IE bug, and a web-mail breach. Issues with VPNs. Last minute tax scams. Oculus Easter eggs.
Dave Bittner: [0:00:03] An ISIS hard drive suggests the caliphate's plans for inspiration as it enters exile. Facebook's Sunday outage remains unexplained. Microsoft deals with a breach in its consumer webmail products. A researcher drops an Internet Explorer zero-day that may affect you, even if you don't use IE. CISA warns of bugs in widely used VPNs. Last-minute Tax Day online scams, security pros advocate poor restroom hygiene and Easter eggs in Oculus.
Dave Bittner: [0:00:40] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Prevention-based tools leave you blind to any threats inside your network. By adding behavioral-based network traffic analysis to your SOC, you can find and stop attackers before they make their move. ExtraHop illuminates the dark space with complete visibility at enterprise scale, detects threats up to 95 percent faster with machine learning and guided investigations that help tier one analysts perform like seasoned threat hunters. Visit extrahop.com/cyber to learn why the SANS Institute calls ExtraHop fast and amazingly thorough, a product with which many SOC teams could hit the ground running. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [0:01:37] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, April 15, 2019.
Dave Bittner: [0:01:46] We begin with a brief note on ISIS and its attempt to resume inspiration operations online following its effective expulsion from the territory it had controlled in Syria. According to The Times of London, the contents of a dropped hard drive show the caliphate retains its lethal intentions, even in its present stateless diaspora. The Paris massacre at the Bataclan concert hall in 2015 and the New York murders by truck in 2017 are viewed as templates for angry and disaffected jihadists to use against the dar al-harb going forward.
Dave Bittner: [0:02:21] Facebook, Instagram, WhatsApp and Messenger were down for several hours yesterday, the second major disruption the social network has suffered in roughly a month and the third so far this year. Many outlets have been quoting the only explanation Facebook has offered so far - quote, "earlier today, some people may have experienced trouble connecting to the family of apps. The issue has since been resolved. We're sorry for any inconvenience," end quote. No cause or explanation yet, but most observers think this most recent outage was less severe than the one that hit in mid-March.
Dave Bittner: [0:02:56] TechCrunch reported Saturday that Microsoft has acknowledged that a limited number of Redmond's webmail services had their accounts compromised. The incident, which occurred between January 1 and March 28, arose when a customer support agent's credentials to a support portal were compromised. Microsoft advises affected users, whom it's notified, to change their passwords.
Dave Bittner: [0:03:19] Enterprise users are believed to be unaffected, but people who use these services for personal accounts should be aware of the data that were compromised. These include email addresses, the names of folders, email subject lines and those email addresses the affected users communicate with. The data do not include, according to Microsoft, the contents of any emails or attachments. Also unaffected, apparently, are login credentials. The breach carries with it the usual attendant risk of derivative phishing, so be on the lookout, whether you are among the affected users or not, for more or less plausible approaches designed to spook you into following a link or opening an attachment with a webmail theme.
Dave Bittner: [0:04:03] Researcher John Page released a proof-of-concept Microsoft Internet Explorer zero-day after Microsoft declined to patch it, deferring corrective action until some unspecified later time. ZDNet reports that the vulnerability could enable file exfiltration. Page says the proof of concept affects Windows 7, Windows 10 and Windows Server 2012 R2.
Dave Bittner: [0:04:26] You might feel reassured if you don't use Internet Explorer - and many no longer do; the browser has steadily lost market share over recent years - but you should still be on your guard. You might not be interested in IE, but IE is interested in you - that is, if you're a Windows user, whatever browser you use. Windows still uses IE to open MHT files, so don't trust suspicious or questionable MHT files, particularly if they arrive as an attachment to an email.
Dave Bittner: [0:04:57] On Friday, CISA announced that CERT/CC, the CERT Coordination Center, had issued a warning about vulnerabilities in several widely used virtual private network applications. CERT/CC says the applications store the authentication and/or session cookies insecurely in memory and/or log files. The affected products include Palo Alto Networks' GlobalProtect agent 4.1.0 for Windows and GlobalProtect agent 4.1.1 and earlier for macOS and Pulse Secure Connect Secure prior to 8.1R14, 8.2, 8.3R6, and 9.0R2, and Cisco AnyConnect 4.7 and prior versions.
Dave Bittner: [0:05:43] F5 says it's BIG-IP APM system was vulnerable under rare circumstances but that users should implement multi-factor authentication. Palo Alto Networks has a patch for GlobalProtect version 4.1.1. CERT doesn't know about the others but thinks the problem may be generic to VPNs.
Dave Bittner: [0:06:04] Today is Tax Day in the US. And as the dazed, confused or dilatory scramble to file, they should know that the scammers are prepared to take advantage of the procrastinator's reduced capacity to defraud them. Zscaler shares some eleventh-hour advice. You should be aware of IRS login phishing, in which you receive an email that takes you to a fairly convincing imitation of an IRS page, where you will, of course, be invited to enter the credentials you and many like you use when you file online.
Dave Bittner: [0:06:34] It's worth noting that the U.S. Internal Revenue Service is only one of the prominent brands social engineers are vigorously impersonating. We've already mentioned Microsoft. But then there's the fake, apply-for-EIN scam and Google SEO poisoning, which gets bogus ads for bogus employer identification numbers served up piping hot at the top of Google's search results. Don't go there. And if you're in the U.K., there's still time to fall victim to the tax refund phishing campaign. Be wary, and don't let your fear and grogginess at, say, 11:30 local time tonight cloud your judgment. And happy filing.
Dave Bittner: [0:07:14] A survey of information security professionals sponsored by Lastline indicates that most of them would rather walk barefoot across a public restroom than use public Wi-Fi. We weren't aware that was the alternative, but OK, noted. And thanks for the nice image. We'll be keeping our shoes on in any case. By the way, the survey was conducted at RSA, and we must say that the restrooms there were indeed cleaner than the Wi-Fi. So maybe Lastline has a point. Still, shoes on, kids.
Dave Bittner: [0:07:46] All your headsets are belong us. Do developers' goofball messages count as a supply chain hack? Facebook is embarrassed by messages embedded in Oculus VR preproduction controllers by Oculus developers - this space for rent, the Masons were here, Big Brother is watching and hi, iFixit, we see you. The girls and boys are just yucking it up and having fun, but Facebook would rather this hadn't happened.
Dave Bittner: [0:08:13] We should note that the messages are physical messages imprinted in the hardware, not virtual messages that will display before your eyes in either virtual or augmented reality. They're not, Oculus and its parent, Facebook, stress, going to appear in consumer models. But if you get your hands on one of the tens of thousands of prototypes, you should know that it's not the Illuminati signaling their imminent takeover. It's just some playful Easter eggs.
Dave Bittner: [0:08:38] Nate Mitchell, co-founder of Oculus and VR product boss at Facebook tweeted, "unfortunately, some Easter egg labels meant for prototype accidentally made it onto the internal hardware for tens of thousands of touch controllers. While I appreciate Easter eggs, these were inappropriate and should have been removed. The integrity and functionality of the hardware were not compromised. And we fixed our process so this won't happen again," end quote. We think the Masonic reference would have been better and more believable if it had said the Shriners were here.
Dave Bittner: [0:09:14] Time for a message from our sponsor, KnowBe4. It can take a hacker to know a hacker. Many of the world's most reputable organizations rely on Kevin Mitnick, the world's most famous hacker and KnowBe4's chief hacking officer, to uncover their most dangerous security flaws. You might ask, hey, where can I get the skinny on the latest threats? And where could I find out what would Kevin do? Well, at KnowBe4's webinar, that's where. Kevin and Perry Carpenter, KnowBe4's chief evangelist and strategy officer, give you an inside look into Kevin's mind in this on-demand webinar. You'll learn more about the world of social engineering and penetration testing by listening to firsthand experiences and some disconcerting discoveries. You'll see exclusive demos of the latest attack ploys, find out how they could affect you, and learn what you can do to stop them. Go to knowbe4.com/hacker to register for the webinar. That's knowbe4.com/hacker. And we thank KnowBe4 for sponsoring our show.
Dave Bittner: [0:10:27] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, and he is also my co-host on the "Hacking Humans" podcast. Joe, it's great to have you back.
Joe Carrigan: [0:10:37] It's good to be back, Dave.
Dave Bittner: [0:10:38] We saw some news come by from the folks at Tenable...
Joe Carrigan: [0:10:42] Right.
Dave Bittner: [0:10:42] ...About some vulnerabilities they discovered on some Verizon routers.
Joe Carrigan: [0:10:47] Right.
Dave Bittner: [0:10:47] What's going on here?
Joe Carrigan: [0:10:48] So the Verizon Fios routers - these are the routers that you get in your house when you get the Verizon service.
Dave Bittner: [0:10:53] Yep.
Joe Carrigan: [0:10:54] And...
Dave Bittner: [0:10:54] I probably have one in my house.
Joe Carrigan: [0:10:56] Yes. I actually don't because I'm not on Verizon right now.
Dave Bittner: [0:10:59] OK.
Joe Carrigan: [0:10:59] But they've found these vulnerabilities that let people come in, and they can change firewall rules on the router and change parental settings on the firewall as well. They could also start making a map of your network.
Dave Bittner: [0:11:14] OK.
Joe Carrigan: [0:11:14] Right. So there's three vulnerabilities here that they've published with the MITRE CVE system. But yeah, we talk about this frequently. What's being done to protect the average person here? Now, Verizon has advised that there's a new firmware update that's going to address these issues, but it's going to be rolled out automatically too. But I don't know when that's happening. There's nothing in here that says that's already happened. I imagine that Tenable followed a responsible disclosure process here.
Dave Bittner: [0:11:39] Yeah. How do you feel about that sort of thing, with an update being rolled out automatically?
Joe Carrigan: [0:11:45] Well, technically the router is Verizon property.
Dave Bittner: [0:11:48] OK.
Joe Carrigan: [0:11:48] So it's their responsibility to roll those out automatically, I would say. That would be my argument.
Dave Bittner: [0:11:53] Yeah.
Joe Carrigan: [0:11:54] And they should do it quickly.
Dave Bittner: [0:11:55] OK.
Joe Carrigan: [0:11:56] Now, how can you protect yourself against this? This is the problem - the question that everybody's wondering. And what I've done is I've bought another router.
Dave Bittner: [0:12:05] OK. I was going to ask you about that. So can you put another ring in the moat around the house, basically?
Joe Carrigan: [0:12:11] Right, I've talked about this before. I use Comcast right now. Here in our area, we're fortunate to have a choice of which ISP we can use.
Dave Bittner: [0:12:19] (Laughter) OK.
Joe Carrigan: [0:12:20] So right now I'm using Comcast. I'll probably go back to Verizon at some point the future. The Comcast modem sits - is a cable modem, and it sits outside of my network perimeter.
Dave Bittner: [0:12:29] OK.
Joe Carrigan: [0:12:30] It is not a trusted device. I don't trust it. And I have another router on the inside of that which I maintain and which I update the firmware for. I take personal responsibility for it. I don't rely on another company to do that. Now, additionally, because this physical piece of property is the property of your ISP, they actually have the ability to come into it themselves as well.
Dave Bittner: [0:12:53] Right.
Joe Carrigan: [0:12:54] You don't know what that means, and you have no idea if you should trust that. But if they come in, they're going to see that one device is connected to their router or to their cable modem and that they can't get past that because it doesn't allow access from the outside of the network.
Dave Bittner: [0:13:10] So if you have the sophistication where you think you can handle this sort of thing - and it's not terribly complicated...
Joe Carrigan: [0:13:16] It's not really terribly complicated. So if you just get a basic router from one of the many router companies available out there and put it on your network and then just make sure that external login is not enabled, you'll be a lot better off.
Dave Bittner: [0:13:28] Yeah.
Joe Carrigan: [0:13:28] So there is no way for somebody else to even see a web interface on your router if they're coming in from the compromised router.
Dave Bittner: [0:13:34] And I guess this is - points to the thing we've talked about before, where it's not so much that you have to make your place impenetrable.
Joe Carrigan: [0:13:41] Right.
Dave Bittner: [0:13:42] It's that you make it less punishable than the guy next door.
Joe Carrigan: [0:13:45] Right.
Dave Bittner: [0:13:46] Right?
Joe Carrigan: [0:13:46] It's like the burglar alarm on your house. If you have a burglar alarm in your house, then the neighbor who doesn't have the burglar alarm is the one that gets robbed.
Dave Bittner: [0:13:54] Right. Verizon is saying here to confirm that your device is updated to the latest version, and if you have any questions, contact Verizon. But in the meantime, probably good advice to go out there and get yourself a secondary router.
Joe Carrigan: [0:14:06] I would recommend that.
Dave Bittner: [0:14:08] All right. Joe Carrigan, thanks for joining us.
Joe Carrigan: [0:14:10] It's my pleasure, Dave.
Dave Bittner: [0:14:15] And that's the CyberWire. For links to all of today's stories, check out our CyberWire Daily News Brief at thecyberwire.com.
Dave Bittner: [0:14:22] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [0:14:33] Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [0:15:01] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.