Backdoors or legit apps? Serpents in walled gardens. Verizon's Data Breach Report.

Dave Bittner: [00:00:03:03] Cisco's Talos believes it found adware that amounts to a backdoor. More serpents crawling around in Google Play's walled garden? Careless developers get their credentials booted by Slack. Triumfant looks at Locky, and finds it morphs as often as five times a day. We talk to Level 3 about point-of-sale system risk, and Verizon gives us the skinny on their Data Breach Report. US Cyber Command seems to be putting the loser effect onto ISIS. Investigators are spooked by the SecureWorks dead cat bounce, and think they see venture funding drying up. But Evident.io says no, this is a salutary correction preventing a bubble.

Dave Bittner: [00:00:41:10] This podcast is sponsored by SINET, the Security Innovation Network, connecting the cyber security community, innovators, investors and customers, business and government. Learn more at security-innovation.org.

Dave Bittner: [00:01:04:10] I'm Dave Bittner in Baltimore, with your CyberWire summary, and weekend review for Friday April 29th, 2016.

Dave Bittner: [00:01:12:06] Breaking at week's end is a warning from Cisco’s Talos unit, which says that software exhibiting what Talos characterizes as “adware and spyware capabilities” is installed on around 12 million PCs worldwide. The application Talos flagged is Tuto4PC’s, OneSoftPerDay. Cisco's tools picked up the software as a "generic Trojan." Investigation indicated that it was installed with administrator rights on many endpoints.

Dave Bittner: [00:01:40:05] Tuto4PC strongly disputes Talos's conclusions, and points out that it's a long-established firm listed on the Paris Bourse (which no one, least of all Cisco, disputes). Their business model involves exchanging tutorials in exchange for users' acceptance of advertising. Their software, Tuto4PC says, is designed to evade excessively aggressive ad blockers.

Dave Bittner: [00:02:02:21] Cisco disagrees, and sees what it calls "an obvious case" for classifying OneSoftPerDay as a backdoor, or at the very least, as a potentially unwanted program. Tuto4PC has said it's taking legal advice in the dispute.

Dave Bittner: [00:02:16:10] PhishLabs researchers say they’re seeing more serpents in Google Play’s walled garden. In this case it's cash-stealing HTML scams that are slithering through.

Dave Bittner: [00:02:26:16] As criminals attend more to mobile devices, Zscaler finds some information-stealing Android malware circulating in the wild. It's posing as a Chrome update.

Dave Bittner: [00:02:36:22] Another mobile issue may have surfaced in connection with the widely-used, and useful, Waze navigation app. Researchers at the University of California Santa Barbara, think Waze may be leaking enough information to expose users to stalking.

Dave Bittner: [00:02:50:24] Some developers building applications for the popular messaging and collaboration platform Slack, have been leaving API credentials exposed in GitHub. This appears to a case, multiple cases, actually, of carelessness and inattention. Detectify researchers found the problem, and warn that sensitive corporate information could be compromised. Slack moved quickly to address this third-party issue by revoking the roughly 1400 credentials developers left flapping out there in the virtual breeze.

Dave Bittner: [00:03:20:11] Security publication Dark Reading, offers some advice for business travelers. Seven sensible steps you should take to protect yourself: Avoid using public-use terminals; Use a VPN client when connecting to WiFi; Keep your devices in hand while at breakfast; Get loaner devices from IT, and we'd add, use them; Don't swipe your card at sketchy ATMs, gift shops, or hotel restaurants; Install remote wipe software, and finally, avoid using desk and lamp USB ports.

Dave Bittner: [00:03:50:12] Good advice all of it. For some additional insight into the risks that accompany point-of-sale systems, we spoke with Level 3 expert, Dale Drew. We'll hear from him after the break.

Dave Bittner: [00:04:00:11] Ransomware hasn't gone away, so do continue to back up your files. Triumfant researchers have been taking a look at the Locky strain of ransomware, and they point out that it morphs too quickly for signature-based detection to be of much protective worth. In fact, as Triumfant observed Locky, they found it shapeshifted as often as five times a day.

Dave Bittner: [00:04:24:02] This CyberWire podcast is brought to you by the Digital Harbor Foundation, a non-profit that works with youth and educators to foster learning, creativity, productivity and community through technology education. Learn more at digitalharbor.org.

Dave Bittner: [00:04:44:21] Joining me is Dale Drew, he's the Chief Security Officer at Level 3 Communications, one of our academic and research partners.

Dave Bittner: [00:04:51:12] Dale, point-of-sales systems are certainly a popular attack target for bad guys, and your team has been doing some research on a particularly sophisticated strain of point-of-sale malware called PoSeidon.

Dale Drew: [00:05:02:02] Well this is one where I think that industry collaboration really paid off in stopping a potentially very serious industry issue. This is one where we received information from our industry partners, through Palo Alto Unit 42 and through Cisco, on some emerging malware that they had discovered called PoSeidon. We then took those signatures and we implemented them in our Internet backbone and saw a very emerging and very sophisticated set of attacks that were occurring. So what we discovered was a very specific actor that appears to be related to organized crime that was targeting European credit card providers and merchants with this malware.

Dale Drew: [00:05:52:09] They were compromising the company through phishing attacks. They were depositing that malware on internal computers, and then that malware was programmed to compromise the point-of-sale terminal and sniff out credit cards. So we notified the victims that we found on the Internet backbone. We instituted an algorithm that automatically detected it and automatically blocked it on the backbone. And we protected our Internet backbone, our customers and the Internet as a whole from this very sophisticated attack.

Dave Bittner: [00:06:23:14] And what's your advice for people who are running point-of-sale systems, to protect themselves against this sort of thing?

Dale Drew: [00:06:29:24] I'd say it's really two things. The one thing is, we can't stress enough making sure that the employee enterprise desktops do not have any visibility to the production point-of-sale systems. In almost all of the attacks the victim networks were very flat. Once the bad guy compromised either a data center system, or compromised a desktop, they were able to gain access to pretty much the entire production network, because there is no separation between the production network and the employee network.

Dale Drew: [00:07:04:23] So making sure that you have contained isolation areas so that when there is a compromise that it's isolated within that specific area is pretty critical. And these are lessons learned that we've learned through other compromises, like Sony as an example.

Dale Drew: [00:07:23:02] The other lesson to learn I'd say is, having access to a threat intelligence infrastructure that shows you behavior of your traffic is critical. So when you're dealing with zero-day attack really the best way - if not the only way - to detect that is to have something that is machine learning your behavior, your network's behavior, your communications behavior, your protocol behavior and telling you when it sees something anomalous.

Dale Drew: [00:07:51:10] So when we went to all these victims, and we asked these victims, "Is it normal for a single employee desktop to gain access to all of the point-of-sale terminals?" The answer was, "Absolutely not." Had they had a machine-learning threat intelligence infrastructure, that was able to determine that that was not usual behavior, they would've detected it the moment it occurred.

Dave Bittner: [00:08:13:12] Dale Drew from Level 3 Communications, thanks for joining us. And remember, we want to hear your questions for our academic and research partners. You can email them to: questions@thecyberwire.com.

Dave Bittner: [00:08:27:21] This CyberWire podcast is made possible by the generous support of Wide Angle Youth Media, a non-profit that provides free media education to Baltimore youth to tell their own stories and become civic leaders. Learn, watch, and connect at wideanglemedia.org.

Dave Bittner: [00:08:55:22] As we look back at the week that's now ending, we've heard considerable woofing from ISIS about it's new cyber attack capability. No one looking at the Caliphate, still less the newly-formed cyber army of sympathizers, the United Cyber Caliphate, takes its technical claims particularly seriously.

Dave Bittner: [00:09:12:16] The hacktivists striking for jihad, seem capable of little beyond skid-level, script kiddie vandalism of poorly protected targets of opportunity.

Dave Bittner: [00:09:20:22] Propaganda and inspiration, however, are quite a different matter, and here ISIS has shown considerable ability to get its message out online. The United Cyber Caliphate made a familiar and unwelcome move as the week began, posting a hit list of murder targets for the use of ISIS sympathizers in the Dar al-Harb. Most of those on the list are in New York, and the FBI is taking appropriately serious steps to investigate.

Dave Bittner: [00:09:45:03] The increasingly overt US cyber campaign against ISIS seems to be having an effect. In some respects it's targeting, in others jamming, and in others spoofing. In still other respects, the US campaign offers a kind of paranoia-as-a-service, inducing potential ISIS recruits to think that everything is witnessed, everything known. The campaign may be hitting ISIS at its weakest point. After all, if you say you're a Caliphate, you've got to show the kind of worldly success that should flow from divine sanction. But if you look like a loser, then you've lost. So, good hunting, Cyber Command.

Dave Bittner: [00:10:20:15] Verizon's industry-standard Data Breach Report appeared this week, moving the Harvard Business Review to the belated realization that data breaches aren't just the IT department's concern any more. We sat down with Dave Ostertag, Global Investigations Manager for Verizon's Risk Team.

Dave Ostertag: [00:10:37:01] We see very commonly the same things over and over again, and first in that pattern is compromising infrastructure to re-purpose it for their malicious use. Once they get access into a server use it as a command and control point, a data aggregator or exfiltration point.

Dave Ostertag: [00:10:55:21] The next is a continuation of a trend of the increase in the use of phishing, you know there's that weak link there with people clearly showing that someone will always open the email, click on the link, or open the attachment. We consistently see, even though we still know, that just like phishing is bad, we know that single factor access into our networks are bad, but we continue to see users single factor access into the network.

Dave Ostertag: [00:11:21:14] And then the other use of phishing in these attacks involves spear phishing. They'll do a research in foot-printing and social engineering and identify that individual, that executive, that manager, that key member that would have access to the data that they're looking for. Whether it be a project, a set of statistics, an intellectual property or whatever it might be, the phishing attack in this case hits the end-user system that might contain the very information they're looking for.

Dave Ostertag: [00:11:51:04] And then malware. Malware is absolutely you know a key intersection in the play book that the bad guys use. Where we used to see the bad guys manually go into a network, and RDP into systems that manually conduct all of things involved in the data breach, you know, stealing credentials, and using those credentials to explore the network, to find data, to aggregate the data and exfiltrate the data, now the malware does all of that for them.

Dave Ostertag: [00:12:18:17] You've got less chance of detection, greater spread across the network. It ends up looking more like legitimate business, and the malware being the key to that is very common.

Dave Ostertag: [00:12:30:15] And then finally it's credentials. And by far the one tool that the bad guys use that make it more difficult to detect, and more successful in execution, is the use of stolen credentials. For the initial attack after using Single Factor Authentication like I talked about and then also, once you get into the network, the bad guys uses your elevated level privileged credentials to transverse the network and gain access to those servers and the system to have the data they're looking for.

Dave Bittner: [00:13:02:04] Despite the variety of attack vectors, the team at Verizon did notice a specific trend.

Dave Ostertag: [00:13:07:08] When we look across industry verticals, and look for patterns, or trends, or commonalities there, one clear trend that we see in the 2016 DBR is the use of web app attacks across all verticals. That's one statistic that comes through very clearly this year. And we do have some very clear patterns within specific industries however, and when we, the writers of the Data Breach Report, are asked what we want readers to use the report for, it's the manager's security program from a risk-based perspective. And that risk being the likelihood of data being compromised.

Dave Bittner: [00:13:45:21] While some of the attacks have grown more sophisticated, Ostertag reminds us not to forget the importance of basic cyber hygiene.

Dave Ostertag: [00:13:53:23] Well when we get down to it, when we look at the methodologies the bad guys use, they're really basic. They're not Star Trek, they're not James Bond, they're not advanced. It's simple techniques of stealing credentials, of using vulnerabilities that, in a lot of cases, are easily patched, and using phishing emails and things like that. So practicing good basic security is very important.

Dave Bittner: [00:14:18:17] One of the key takeaways from Verizon Report, according to Ostertag, is not to underestimate the human factor when it comes to securing your networks.

Dave Ostertag: [00:14:27:17] I think what we clearly see in this year's report is one of the weak links are people. You know over and over again, people seem to be the weak link. Whether it be through phishing, social engineering, not practicing good protection and going to inappropriate websites, inappropriate email content, use of other crude devices. You know people continuously seem to be one of the big weak links. So I think one the huge key points that we see in this year's report, is the individual. It's the person that's being a weak link in our security chain.

Dave Bittner: [00:15:02:19] That's Dave Ostertag, Global Investigations Manager from Verizon's Risk Team. Their 2016 Data Breach Investigations Report is on their website verizionenterprise.com.

Dave Bittner: [00:15:16:03] It's been a mixed week for the security industry. Last week's SecureWorks initial public offering has been weighed, measured, and found at least in terms of initial pop, wanting. Nasdaq put a positive spin on the IPO's disappointing performance, and says, hey, at least they've got the offering out there, which is more than a lot of tech companies can say. And that's true enough. But analysts point out that investors are now looking for profit, or at least cash flow, behind the story they're told by story stocks.

Dave Bittner: [00:15:44:14] Some alarmist stories have appeared to suggest the days of venture capital's interest in cyber security are over. But we heard a different take on the market from Tim Prendergast, co-founder and CEO of Evident.io, a start up that this week raised $15.7 million in Series B funding.

Dave Bittner: [00:16:02:06] He expected the tightening of venture investment, and he thinks it augurs a culling of security startups through acquisition, or simple disappearance as the market adjusts. "Tightening the belt and letting some air out of a market that was at risk of attaining bubble status, is not only good for the consumers of security solutions, but also for the industry itself, as it forces established and emerging players to continue to be innovative and forward thinking. This really could not have come at a better time in the evolution of our industry."

Dave Bittner: [00:16:33:04] Looking at public companies, Blackberry seems to be enjoying some success repositioning itself as a cyber security play. Symantec is well in progress with a similar strategic repositioning, but disappointing guidance this week led the company's board to make a change in CEO.

Dave Bittner: [00:16:49:14] We did hear some good news last night at the Chesapeake Regional Tech Council's Annual Tech Awards. Congratulations are in order for Tenable Network Security, which won the Council's first Governor's Award. Another Baltimore cyber security firm, RedOwl Analytics, was a finalist for that award, and surely merits an honorable mention.

Dave Bittner: [00:17:08:11] Cyber security expert Marcelle Lee of the Fractal Security Group took this year’s Women in Tech award. And two startups also earned some recognition: Protenus earned the Rising Star award, and Point3 Security took home this year’s Cyber Innovator Award. Congratulations to all who won, and all who competed.

Dave Bittner: [00:17:27:09] Finally, remember those Panama Papers? And remember that Süddeutsche Zeitung said, "there's more?" Well, Computerwoche says there's more coming in May, and we note that May begins Sunday. The group that took the leak, the ICIJ, says it's going to post all 2.6 terabytes of data​​ in searchable form. Stay tuned... And have a great weekend.

Dave Bittner: [00:17:53:20] And that's the CyberWire. For links to all of today's stories, visit thecyberwire.com and while you're there subscribe to our popular daily news brief. Our editor is John Petrik. I'm Dave Bittner. Thanks for listening.