Tuesday, October 28, 2014

Fidelity National Financial warns of data leak after phishing attack



Fidelity National Financial has been contacting an “undisclosed number of individuals”, notifying them that a selection of personal data may have been exposed after some of the Fortune 500 company’s employees had their email accounts targeted by a phishing campaign, SC Magazine reports.

The personal information includes Social Security numbers, bank account numbers, driver’s license numbers and payment card numbers, but at this stage Fidelity National Financial (FNF) has not revealed how many individuals may have been exposed in the breach, which was caused by a phishing campaign that targeted a ‘small number of employee’s’ email accounts.

Federal law enforcers have been informed, and a third-party security expert has been brought in to scope out the nature and extent of the attack. Steps have also been put in place to stop similar events occurring in the future, including enhanced security on email accounts and information and training available to employees.


Fidelity National Financial warns of data leak after phishing attack



Fidelity National Financial has been contacting an “undisclosed number of individuals”, notifying them that a selection of personal data may have been exposed after some of the Fortune 500 company’s employees had their email accounts targeted by a phishing campaign, SC Magazine reports.

The personal information includes Social Security numbers, bank account numbers, driver’s license numbers and payment card numbers, but at this stage Fidelity National Financial (FNF) has not revealed how many individuals may have been exposed in the breach, which was caused by a phishing campaign that targeted a ‘small number of employee’s’ email accounts.

Federal law enforcers have been informed, and a third-party security expert has been brought in to scope out the nature and extent of the attack. Steps have also been put in place to stop similar events occurring in the future, including enhanced security on email accounts and information and training available to employees.


Dridex Spreading via Word Docs "Banking Malware"



Cybercriminals using the Dridex banking Trojan to steal sensitive information from Internet users have changed the way they are distributing the malware, according to researchers from Palo Alto Networks.

Dridex, which is a successor of the Cridex/Feodo/Geodo Trojans, was first spotted in July. The threat is used by cybercriminals to obtain the information they need for fraudulent bank transactions.

Until recently, Dridex was mostly distributed via executable files attached to spam emails. However, researchers at Palo Alto Networks noticed that cybercriminals have started delivering the threat with the aid of macros placed inside innocent-looking Microsoft Word documents.



Dridex Spreading via Word Docs "Banking Malware"



Cybercriminals using the Dridex banking Trojan to steal sensitive information from Internet users have changed the way they are distributing the malware, according to researchers from Palo Alto Networks.

Dridex, which is a successor of the Cridex/Feodo/Geodo Trojans, was first spotted in July. The threat is used by cybercriminals to obtain the information they need for fraudulent bank transactions.

Until recently, Dridex was mostly distributed via executable files attached to spam emails. However, researchers at Palo Alto Networks noticed that cybercriminals have started delivering the threat with the aid of macros placed inside innocent-looking Microsoft Word documents.



Phishing Campaign Linked with “Dyre” Banking Malware



Systems Affected

Microsoft Windows
Overview

Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payload(s).[1][2] Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware.

Description

The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors.[3](link is external) Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in unpatched versions of Adobe Reader.[4](link is external)[5](link is external) After successful exploitation, a user's system will download Dyre banking malware. All of the major anti-virus vendors have successfully detected this malware prior to the release of this alert.[6](link is external)

Please note, the below listing of indicators does not represent all characteristics and indicators for this campaign.

Phishing Email Characteristics:
Subject: "Unpaid invoic" (Spelling errors in the subject line are a characteristic of this campaign)
Attachment: Invoice621785.pdf

System Level Indicators (upon successful exploitation):
Copies itself under C:\Windows\[RandomName].exe
Created a Service named "Google Update Service" by setting the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\ImagePath: "C:\WINDOWS\pfdOSwYjERDHrdV.exe"
HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\DisplayName: "Google Update Service"
Impact


A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services.
Solution


Users and administrators are recommended to take the following preventive measures to protect their computer networks from phishing campaigns:
Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks [7] for more information on social engineering attacks.
Use caution when opening email attachments. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams.[8]
Follow safe practices when browsing the web. See Good Security Habits [9]and Safeguarding Your Data [10] for additional details.
Maintain up-to-date anti-virus software.
Keep your operating system and software up-to-date with the latest patches.

US-CERT collects phishing email messages and website locations so that we can help people avoid becoming victims of phishing scams.

You can report phishing to us by sending email to phishing-report@us-cert.gov(link sends e-mail).
References

[1] MITRE Summary of CVE-2013-2729, accessed October 16, 2014
[2] MITRE Summary of CVE-2010-0188, accessed October 16, 2014
[3] New Banking Malware Dyreza, accessed October 16, 2014(link is external)
[4] Adobe Security Updates Addressing CVE-2013-2729, accessed October 16, 2014(link is external)
[5] Adobe Security Updates Addressing CVE-2010-0188, accessed October 16, 2014(link is external)
[6] VirusTotal Analysis, accessed October 16, 2014(link is external)
[7] US-CERT Security Tip (ST04-014) Avoiding Social Engineering and Phishing Attacks
[8]US-CERT Recognizing and Avoiding Email Scams
[9] US-CERT Security Tip (ST04-003) Good Security Habits
[10] US-CERT Security Tip (ST06-008) Safeguarding Your Data
Revisions



October 27, 2014: Initial Release

Phishing Campaign Linked with “Dyre” Banking Malware



Systems Affected

Microsoft Windows
Overview

Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payload(s).[1][2] Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware.

Description

The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors.[3](link is external) Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in unpatched versions of Adobe Reader.[4](link is external)[5](link is external) After successful exploitation, a user's system will download Dyre banking malware. All of the major anti-virus vendors have successfully detected this malware prior to the release of this alert.[6](link is external)

Please note, the below listing of indicators does not represent all characteristics and indicators for this campaign.

Phishing Email Characteristics:
Subject: "Unpaid invoic" (Spelling errors in the subject line are a characteristic of this campaign)
Attachment: Invoice621785.pdf

System Level Indicators (upon successful exploitation):
Copies itself under C:\Windows\[RandomName].exe
Created a Service named "Google Update Service" by setting the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\ImagePath: "C:\WINDOWS\pfdOSwYjERDHrdV.exe"
HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\DisplayName: "Google Update Service"
Impact


A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services.
Solution


Users and administrators are recommended to take the following preventive measures to protect their computer networks from phishing campaigns:
Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks [7] for more information on social engineering attacks.
Use caution when opening email attachments. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams.[8]
Follow safe practices when browsing the web. See Good Security Habits [9]and Safeguarding Your Data [10] for additional details.
Maintain up-to-date anti-virus software.
Keep your operating system and software up-to-date with the latest patches.

US-CERT collects phishing email messages and website locations so that we can help people avoid becoming victims of phishing scams.

You can report phishing to us by sending email to phishing-report@us-cert.gov(link sends e-mail).
References

[1] MITRE Summary of CVE-2013-2729, accessed October 16, 2014
[2] MITRE Summary of CVE-2010-0188, accessed October 16, 2014
[3] New Banking Malware Dyreza, accessed October 16, 2014(link is external)
[4] Adobe Security Updates Addressing CVE-2013-2729, accessed October 16, 2014(link is external)
[5] Adobe Security Updates Addressing CVE-2010-0188, accessed October 16, 2014(link is external)
[6] VirusTotal Analysis, accessed October 16, 2014(link is external)
[7] US-CERT Security Tip (ST04-014) Avoiding Social Engineering and Phishing Attacks
[8]US-CERT Recognizing and Avoiding Email Scams
[9] US-CERT Security Tip (ST04-003) Good Security Habits
[10] US-CERT Security Tip (ST06-008) Safeguarding Your Data
Revisions



October 27, 2014: Initial Release

Thursday, October 23, 2014

Darrell Issa Smells Another Obama Scandal In Bank Fraud Cases



WASHINGTON -- Congress is out of session and won't be back until Nov. 12. But that isn't stopping House Oversight Committee Chairman Darrell Issa (R-Calif.) from demanding that consumer watchdogs cough up an ocean of paperwork while he's out of town.

Issa has been waging a minor year-long crusade against a handful of Department of Justice investigations into petty consumer fraud. It hasn't caught on the way his probes into Benghazi and Lois Lerner have, but Issa has riled up his fellow House Republicans and issued a report claiming that DOJ's "Operation Choke Point," which seeks to cut off fraudsters from the banking system, is actually a secret Obama administration plot to destroy payday lenders, and maybe firearms dealers and other industries.

So far, Republicans haven't provided any evidence that any bank has ended any relationship with a legitimate firm due to pressure from Obama bureaucrats. But the investigation has created a lot of headaches for people at Justice and the FDIC who want to root out fraud from the financial system.


And now Issa and Rep. Jim Jordan (R-Ohio) appear to have set their sights higher. On Oct. 16, they sent letters to Federal Reserve Chair Janet Yellen and Comptroller of the Currency Thomas Curry claiming to have a new smoking gun, and demanding piles of documents from both agencies.

"The Committee on Oversight and Government Reform continues its oversight of a multiple federal agency initiative forcing banks to terminate the accounts of legal businesses disfavored by the Administration," Issa and Jordan wrote. "A compliance regime that forces banks to sever all relations with legal and legitimate customers is totally unacceptable."

Anti-money laundering laws have long barred banks from moving illegal cash through the financial system. Banks, as a result, have to keep tabs on their customers and make sure they aren't processing payments or harboring cash for organized crime, drug cartels or petty scammers. DOJ's Operation Choke Point focuses on petty fraudsters. Their first case, from January, documented a host of consumer horror stories from people being ripped off by payday lenders and Ponzi schemes. North Carolina's Four Oaks Bank had been giving carte blanche to transactions, even after recognizing a huge volume of suspicious activity, according to details in the lawsuit.

Source and Full Story Here; http://www.huffingtonpost.com/2014/10/23/darrell-issa-payday-lending_n_6037752.html

Darrell Issa Smells Another Obama Scandal In Bank Fraud Cases



WASHINGTON -- Congress is out of session and won't be back until Nov. 12. But that isn't stopping House Oversight Committee Chairman Darrell Issa (R-Calif.) from demanding that consumer watchdogs cough up an ocean of paperwork while he's out of town.

Issa has been waging a minor year-long crusade against a handful of Department of Justice investigations into petty consumer fraud. It hasn't caught on the way his probes into Benghazi and Lois Lerner have, but Issa has riled up his fellow House Republicans and issued a report claiming that DOJ's "Operation Choke Point," which seeks to cut off fraudsters from the banking system, is actually a secret Obama administration plot to destroy payday lenders, and maybe firearms dealers and other industries.

So far, Republicans haven't provided any evidence that any bank has ended any relationship with a legitimate firm due to pressure from Obama bureaucrats. But the investigation has created a lot of headaches for people at Justice and the FDIC who want to root out fraud from the financial system.


And now Issa and Rep. Jim Jordan (R-Ohio) appear to have set their sights higher. On Oct. 16, they sent letters to Federal Reserve Chair Janet Yellen and Comptroller of the Currency Thomas Curry claiming to have a new smoking gun, and demanding piles of documents from both agencies.

"The Committee on Oversight and Government Reform continues its oversight of a multiple federal agency initiative forcing banks to terminate the accounts of legal businesses disfavored by the Administration," Issa and Jordan wrote. "A compliance regime that forces banks to sever all relations with legal and legitimate customers is totally unacceptable."

Anti-money laundering laws have long barred banks from moving illegal cash through the financial system. Banks, as a result, have to keep tabs on their customers and make sure they aren't processing payments or harboring cash for organized crime, drug cartels or petty scammers. DOJ's Operation Choke Point focuses on petty fraudsters. Their first case, from January, documented a host of consumer horror stories from people being ripped off by payday lenders and Ponzi schemes. North Carolina's Four Oaks Bank had been giving carte blanche to transactions, even after recognizing a huge volume of suspicious activity, according to details in the lawsuit.

Source and Full Story Here; http://www.huffingtonpost.com/2014/10/23/darrell-issa-payday-lending_n_6037752.html

Wednesday, October 22, 2014

Microsoft Releases Advisory for Unpatched Windows Vulnerability



Microsoft has released a security advisory to provide recommended mitigations for an unpatched vulnerability, (CVE-2014-6352) which affects all Microsoft Windows releases except Windows Server 2003. This vulnerability could allow an attacker to take control of an affected system if a user opens a specially crafted Microsoft Office file.



US-CERT recommends users and administrators review the Microsoft Security Advisory(link is external) and apply the recommended workarounds.

Microsoft Releases Advisory for Unpatched Windows Vulnerability



Microsoft has released a security advisory to provide recommended mitigations for an unpatched vulnerability, (CVE-2014-6352) which affects all Microsoft Windows releases except Windows Server 2003. This vulnerability could allow an attacker to take control of an affected system if a user opens a specially crafted Microsoft Office file.



US-CERT recommends users and administrators review the Microsoft Security Advisory(link is external) and apply the recommended workarounds.

Friday, October 17, 2014

Apple Releases Security Update - Secure Transport



About Security Update 2014-005

This document describes the security content of Security Update 2014-005.

This update can be downloaded and installed using Software Update or from the Apple Support website.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see Apple Security Updates.
Security Update 2014-005


Secure Transport

Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

Impact: An attacker may be able to decrypt data protected by SSL

Description: There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling CBC cipher suites when TLS connection attempts fail.

CVE-ID

CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of Google Security Team

Note: Security Update 2014-005 includes the security content of OS X bash Update 1.0
Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.

Apple Releases Security Update - Secure Transport



About Security Update 2014-005

This document describes the security content of Security Update 2014-005.

This update can be downloaded and installed using Software Update or from the Apple Support website.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see Apple Security Updates.
Security Update 2014-005


Secure Transport

Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

Impact: An attacker may be able to decrypt data protected by SSL

Description: There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling CBC cipher suites when TLS connection attempts fail.

CVE-ID

CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of Google Security Team

Note: Security Update 2014-005 includes the security content of OS X bash Update 1.0
Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.

SSL 3.0 Protocol Vulnerability and POODLE Attack



Systems Affected

All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.

Overview

US-CERT is aware of a design vulnerability found in the way SSL 3.0 handles block cipher mode padding. The POODLE attack demonstrates how an attacker can exploit this vulnerability to decrypt and extract information from inside an encrypted transaction.
Description


The SSL 3.0 vulnerability stems from the way blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.

While SSL 3.0 is an old encryption standard and has generally been replaced by Transport Layer Security (TLS) (which is not vulnerable in this way), most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. Even if a client and server both support a version of TLS the SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the “downgrade dance” in other reporting). The POODLE attack leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection failure can then force the use of SSL 3.0 and attempt the new attack. [1]

Two other conditions must be met to successfully execute the POODLE attack: 1) the attacker must be able to control portions of the client side of the SSL connection (varying the length of the input) and 2) the attacker must have visibility of the resulting ciphertext. The most common way to achieve these conditions would be to act as Man-in-the-Middle (MITM), requiring a whole separate form of attack to establish that level of access.

These conditions make successful exploitation somewhat difficult. Environments that are already at above-average risk for MITM attacks (such as public WiFi) remove some of those challenges.
Impact


The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.).
Solution


There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available.

Some of the same researchers that discovered the vulnerability also developed a fix for one of the prerequisite conditions; TLS_FALLBACK_SCSV is a protocol extension that prevents MITM attackers from being able to force a protocol downgrade. OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and recommend the following upgrades: [2]
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

Both clients and servers need to support TLS_FALLBACK_SCSV to prevent downgrade attacks.

Other SSL 3.0 implementations are most likely also affected by POODLE. Contact your vendor for details. Additional vendor information may be available in the National Vulnerability Database (NVD) entry for CVE-2014-3566. [3]
References

[1] This Poodle Bites: Exploiting The SSL Fallback
[2] OpenSSL Security Advisory [15 Oct 2014]
[3] Vulnerability Summary for CVE-2014-3566
Revisions



October 17, 2014 Initial Release

SSL 3.0 Protocol Vulnerability and POODLE Attack



Systems Affected

All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.

Overview

US-CERT is aware of a design vulnerability found in the way SSL 3.0 handles block cipher mode padding. The POODLE attack demonstrates how an attacker can exploit this vulnerability to decrypt and extract information from inside an encrypted transaction.
Description


The SSL 3.0 vulnerability stems from the way blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.

While SSL 3.0 is an old encryption standard and has generally been replaced by Transport Layer Security (TLS) (which is not vulnerable in this way), most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. Even if a client and server both support a version of TLS the SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the “downgrade dance” in other reporting). The POODLE attack leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection failure can then force the use of SSL 3.0 and attempt the new attack. [1]

Two other conditions must be met to successfully execute the POODLE attack: 1) the attacker must be able to control portions of the client side of the SSL connection (varying the length of the input) and 2) the attacker must have visibility of the resulting ciphertext. The most common way to achieve these conditions would be to act as Man-in-the-Middle (MITM), requiring a whole separate form of attack to establish that level of access.

These conditions make successful exploitation somewhat difficult. Environments that are already at above-average risk for MITM attacks (such as public WiFi) remove some of those challenges.
Impact


The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.).
Solution


There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available.

Some of the same researchers that discovered the vulnerability also developed a fix for one of the prerequisite conditions; TLS_FALLBACK_SCSV is a protocol extension that prevents MITM attackers from being able to force a protocol downgrade. OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and recommend the following upgrades: [2]
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

Both clients and servers need to support TLS_FALLBACK_SCSV to prevent downgrade attacks.

Other SSL 3.0 implementations are most likely also affected by POODLE. Contact your vendor for details. Additional vendor information may be available in the National Vulnerability Database (NVD) entry for CVE-2014-3566. [3]
References

[1] This Poodle Bites: Exploiting The SSL Fallback
[2] OpenSSL Security Advisory [15 Oct 2014]
[3] Vulnerability Summary for CVE-2014-3566
Revisions



October 17, 2014 Initial Release

Thursday, October 16, 2014

KnowBe4 Issues Alert: CryptoWall 2.0 Ransomware Moves to TOR Network



Tampa Bay, FL (PRWEB) October 15, 2014

KnowBe4 issued an alert to IT Managers that a new version of the world's most widespread ransomware CryptoWall has migrated to the TOR network. It has been upgraded to version 2.0, and continues to encrypt files so that a ransom can be extracted if there are no backups or if the backup process fails, often a common occurrence.

KnowBe4 received a panic call from an IT admin who was hit this week with CryptoWall. The admin's workstation became infected with the malware. The workstation was mapped to 7 servers and within an hour, the entire server farm was shut down. The admin explained he had backups but it would take days to recover the data and get them back up and running. The company's operations would be severely impacted.

"The cyber criminals hit pay dirt with this one and the admin ended up paying the ransom, 1.3 Bitcoin, rather than face the serious costs caused by days of downtime, said Stu Sjouwerman, KnowBe4's CEO. "This is the next generation of ransomware and you can expect this new version to spread like wildfire."

KnowBe4 Issues Alert: CryptoWall 2.0 Ransomware Moves to TOR Network



Tampa Bay, FL (PRWEB) October 15, 2014

KnowBe4 issued an alert to IT Managers that a new version of the world's most widespread ransomware CryptoWall has migrated to the TOR network. It has been upgraded to version 2.0, and continues to encrypt files so that a ransom can be extracted if there are no backups or if the backup process fails, often a common occurrence.

KnowBe4 received a panic call from an IT admin who was hit this week with CryptoWall. The admin's workstation became infected with the malware. The workstation was mapped to 7 servers and within an hour, the entire server farm was shut down. The admin explained he had backups but it would take days to recover the data and get them back up and running. The company's operations would be severely impacted.

"The cyber criminals hit pay dirt with this one and the admin ended up paying the ransom, 1.3 Bitcoin, rather than face the serious costs caused by days of downtime, said Stu Sjouwerman, KnowBe4's CEO. "This is the next generation of ransomware and you can expect this new version to spread like wildfire."

OpenSSL Patches Four Vulnerabilities


OpenSSL has released updates patching four vulnerabilities, some of which may allow an attacker to cause a Denial of Service (DoS) condition or execute man-in-the-middle attacks. The following updates are available:
OpenSSL 1.0.1 users should upgrade to 1.0.1j
OpenSSL 1.0.0 users should upgrade to 1.0.0o
OpenSSL 0.9.8 users should upgrade to 0.9.8zc

US-CERT recommends users and administrators review the OpenSSL Security Advisory for additional information and apply the necessary updates.

OpenSSL Patches Four Vulnerabilities


OpenSSL has released updates patching four vulnerabilities, some of which may allow an attacker to cause a Denial of Service (DoS) condition or execute man-in-the-middle attacks. The following updates are available:
OpenSSL 1.0.1 users should upgrade to 1.0.1j
OpenSSL 1.0.0 users should upgrade to 1.0.0o
OpenSSL 0.9.8 users should upgrade to 0.9.8zc

US-CERT recommends users and administrators review the OpenSSL Security Advisory for additional information and apply the necessary updates.

Tuesday, October 14, 2014

Sandworm APT Team finds Zero Day Bug for Windows



UPDATE–A cyberespionage team, possibly based in Russia, has been using a Windows zero day vulnerability to target a variety of organizations in several countries, including the United States, Poland, Ukraine and western Europe. The vulnerability, which will be patched today by Microsoft, is trivially exploitable and researchers say that the team behind the attacks has been using it since August to deliver the Black Energy malware.

Researchers at iSIGHT Partners said that the team, which they’ve dubbed Sandworm, likely has been active since 2009 and has been using the Windows vulnerability CVE-2014-4114 in conjunction with a series of other flaws in order to compromise users at government agencies, NATO, academic institutions, a telecom, defense and energy firms. The attackers use highly targeted spearphishing emails in order to lure users into opening a rigged PowerPoint file that contains the exploit code for the vulnerability. Once the exploit code fires, it then downloads the Black Energy malware and begins gathering sensitive data for exfiltration.

Researchers at iSIGHT said that the malware steals sensitive documents, SSL keys and code-signing certificates, among other things. The Windows zero day affects all currently supported versions of Windows and researchers said that exploiting the bug is extremely simple. The exploit code can be loaded into any Office document and when it executes, the machine doesn’t crash, so the user is likely unaware of the attack.

Source and Full Story Here; http://threatpost.com/sandworm-apt-team-found-using-windows-zero-day-vulnerability/108815?utm_source=twitterfeed&utm_medium=twitter

Sandworm APT Team finds Zero Day Bug for Windows



UPDATE–A cyberespionage team, possibly based in Russia, has been using a Windows zero day vulnerability to target a variety of organizations in several countries, including the United States, Poland, Ukraine and western Europe. The vulnerability, which will be patched today by Microsoft, is trivially exploitable and researchers say that the team behind the attacks has been using it since August to deliver the Black Energy malware.

Researchers at iSIGHT Partners said that the team, which they’ve dubbed Sandworm, likely has been active since 2009 and has been using the Windows vulnerability CVE-2014-4114 in conjunction with a series of other flaws in order to compromise users at government agencies, NATO, academic institutions, a telecom, defense and energy firms. The attackers use highly targeted spearphishing emails in order to lure users into opening a rigged PowerPoint file that contains the exploit code for the vulnerability. Once the exploit code fires, it then downloads the Black Energy malware and begins gathering sensitive data for exfiltration.

Researchers at iSIGHT said that the malware steals sensitive documents, SSL keys and code-signing certificates, among other things. The Windows zero day affects all currently supported versions of Windows and researchers said that exploiting the bug is extremely simple. The exploit code can be loaded into any Office document and when it executes, the machine doesn’t crash, so the user is likely unaware of the attack.

Source and Full Story Here; http://threatpost.com/sandworm-apt-team-found-using-windows-zero-day-vulnerability/108815?utm_source=twitterfeed&utm_medium=twitter

Friday, October 10, 2014

Signed Malware = Expensive “Oops” for HP



Computer and software industry maker HP is in the process of notifying customers about a seemingly harmless security incident in 2010 that nevertheless could prove expensive for the company to fix and present unique support problems for users of its older products.

Earlier this week, HP quietly produced several client advisories stating that on Oct. 21, 2014 it plans to revoke a digital certificate the company previously used to cryptographically sign software components that ship with many of its older products. HP said it was taking this step out of an abundance of caution because it discovered that the certificate had mistakenly been used to sign malicious software way back in May 2010.

Signed Malware = Expensive “Oops” for HP



Computer and software industry maker HP is in the process of notifying customers about a seemingly harmless security incident in 2010 that nevertheless could prove expensive for the company to fix and present unique support problems for users of its older products.

Earlier this week, HP quietly produced several client advisories stating that on Oct. 21, 2014 it plans to revoke a digital certificate the company previously used to cryptographically sign software components that ship with many of its older products. HP said it was taking this step out of an abundance of caution because it discovered that the certificate had mistakenly been used to sign malicious software way back in May 2010.

Snapchat Says Photo Leak Is Coming From "Illegal" Third-Party Apps #TheSnappening


Snapchat responded to a reported leak of photos sent through its service this morning, saying it was not a result of a breach of the company’s security.

Instead, it was a result of a leak from a third-party application, the company said. Such applications access features of the applications developed by companies like Facebook and Google, and in Snapchat’s case applications that can send and receive Snaps are at fault.

“Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security,” Mary Ritti, a spokesperson for Snapchat, told BuzzFeed News. “We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.”

Snapchat Says Photo Leak Is Coming From "Illegal" Third-Party Apps #TheSnappening


Snapchat responded to a reported leak of photos sent through its service this morning, saying it was not a result of a breach of the company’s security.

Instead, it was a result of a leak from a third-party application, the company said. Such applications access features of the applications developed by companies like Facebook and Google, and in Snapchat’s case applications that can send and receive Snaps are at fault.

“Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security,” Mary Ritti, a spokesperson for Snapchat, told BuzzFeed News. “We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.”

'Mayhem' Malware Exploits Shellshock



Malware known as "Mayhem" that targets Unix and Linux systems has been updated to exploit Shellshock flaws. But while the malware has been tied to a long-running campaign that's compromised numerous servers and PCs, security experts say they still don't know attackers' ultimate aims.

That Mayhem warning is being sounded by a group of anti-malware crusaders who call themselves "Malware Must Die." They say the updated malware, which they've dubbed "Mayhem Shellshock," is being used for in-the-wild attacks.

'Mayhem' Malware Exploits Shellshock



Malware known as "Mayhem" that targets Unix and Linux systems has been updated to exploit Shellshock flaws. But while the malware has been tied to a long-running campaign that's compromised numerous servers and PCs, security experts say they still don't know attackers' ultimate aims.

That Mayhem warning is being sounded by a group of anti-malware crusaders who call themselves "Malware Must Die." They say the updated malware, which they've dubbed "Mayhem Shellshock," is being used for in-the-wild attacks.

Dairy Queen Confirms Card Breach



Dairy Queen has confirmed that Backoff point-of-sale malware was used in a payment card breach that affected 395 of its 4,500 franchised U.S. locations.

The ice cream and fast food chain says more than half a million cards may have been compromised.

"I cannot identify a specific number of cards that may have been impacted by this issue because we do not have visibility into the detailed card-transaction data at all affected stores," Dairy Queen spokesman Dean Peters tells Information Security Media Group. "However, we do believe that the number of unique cards affected were less than 600,000."

Dairy Queen Confirms Card Breach



Dairy Queen has confirmed that Backoff point-of-sale malware was used in a payment card breach that affected 395 of its 4,500 franchised U.S. locations.

The ice cream and fast food chain says more than half a million cards may have been compromised.

"I cannot identify a specific number of cards that may have been impacted by this issue because we do not have visibility into the detailed card-transaction data at all affected stores," Dairy Queen spokesman Dean Peters tells Information Security Media Group. "However, we do believe that the number of unique cards affected were less than 600,000."

Wednesday, October 8, 2014

Cisco Releases Security Advisory for ASA



Cisco has released an advisory to address multiple vulnerabilities in the Cisco Adaptive Security Appliance (ASA) that could result in a denial of service condition. Cisco has released free software updates that address these vulnerabilities.


Users and administrators are encouraged to review the Cisco Advisory(link is external) and apply the necessary updates.

Cisco Releases Security Advisory for ASA



Cisco has released an advisory to address multiple vulnerabilities in the Cisco Adaptive Security Appliance (ASA) that could result in a denial of service condition. Cisco has released free software updates that address these vulnerabilities.


Users and administrators are encouraged to review the Cisco Advisory(link is external) and apply the necessary updates.

Tuesday, October 7, 2014

Happy National Cyber Security Awareness Month



The Internet is part of everyone’s life, every day. We use the Internet at work, home, for enjoyment, and to connect with those close to us.

However, being constantly connected brings increased risk of theft, fraud, and abuse. No country, industry, community, or individual is immune to cyber risks. As a nation, we face constant cyber threats against our critical infrastructure and economy. As individuals, cybersecurity risks can threaten our finances, identity, and privacy. Since our way of life depends on critical infrastructure and the digital technology that operates it, cybersecurity is one of our country’s most important national security priorities, and we each have a role to play—cybersecurity is a shared responsibility.

National Cyber Security Awareness Month is designed to engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber incident. October 2014 marks the 11th Annual National Cyber Security Awareness Month sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Allianceand the Multi-State Information Sharing and Analysis Center.

Visit http://www.dhs.gov/national-cyber-security-awareness-month-2014 for more information on how to protect yourself, friends, and family.

Happy National Cyber Security Awareness Month



The Internet is part of everyone’s life, every day. We use the Internet at work, home, for enjoyment, and to connect with those close to us.

However, being constantly connected brings increased risk of theft, fraud, and abuse. No country, industry, community, or individual is immune to cyber risks. As a nation, we face constant cyber threats against our critical infrastructure and economy. As individuals, cybersecurity risks can threaten our finances, identity, and privacy. Since our way of life depends on critical infrastructure and the digital technology that operates it, cybersecurity is one of our country’s most important national security priorities, and we each have a role to play—cybersecurity is a shared responsibility.

National Cyber Security Awareness Month is designed to engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cybersecurity and increasing the resiliency of the nation in the event of a cyber incident. October 2014 marks the 11th Annual National Cyber Security Awareness Month sponsored by the Department of Homeland Security in cooperation with the National Cyber Security Allianceand the Multi-State Information Sharing and Analysis Center.

Visit http://www.dhs.gov/national-cyber-security-awareness-month-2014 for more information on how to protect yourself, friends, and family.

Hackers Steal Millions In Cash From ATMs, Using Tyupkin Malware



Attackers add in failsafes to prevent innocents from triggering attack and money mules from going rogue.


Attackers are infecting ATMs in Asia, Europe, and Latin America with malware, and walking off with stacks of cash, Kaspersky has found. Using the malware, called Tyupkin, and a team of money mules, the attackers have stolen what amounts to millions of dollars in cash.

“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software," said Vicente Diaz, principal security researcher at Kaspersky Lab, in a statement. "Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly. This is done by infecting ATMs themselves or launching direct APT-style attacks against banks. The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure.”

The good news is that the infection and theft require physical access to the ATM. The bad news is that it's easy to come by, since ATMs are intended to be physically accessible by the general public 24/7. That said, the attackers only went after machines that did not have security alarms installed.

Hackers Steal Millions In Cash From ATMs, Using Tyupkin Malware



Attackers add in failsafes to prevent innocents from triggering attack and money mules from going rogue.


Attackers are infecting ATMs in Asia, Europe, and Latin America with malware, and walking off with stacks of cash, Kaspersky has found. Using the malware, called Tyupkin, and a team of money mules, the attackers have stolen what amounts to millions of dollars in cash.

“Over the last few years, we have observed a major upswing in ATM attacks using skimming devices and malicious software," said Vicente Diaz, principal security researcher at Kaspersky Lab, in a statement. "Now we are seeing the natural evolution of this threat with cyber-criminals moving up the chain and targeting financial institutions directly. This is done by infecting ATMs themselves or launching direct APT-style attacks against banks. The Tyupkin malware is an example of the attackers taking advantage of weaknesses in the ATM infrastructure.”

The good news is that the infection and theft require physical access to the ATM. The bad news is that it's easy to come by, since ATMs are intended to be physically accessible by the general public 24/7. That said, the attackers only went after machines that did not have security alarms installed.

Huge Data Leak at Largest U.S. Bond Insurer



On Monday, KrebsOnSecurity notified the Municipal Bond Insurance Association — the nation’s largest bond insurer — that a misconfiguration in a company Web server had exposed countless customer account numbers, balances and other sensitive data. Much of the information had been indexed by search engines, including a page listing administrative credentials that attackers could use to access data that wasn’t already accessible via a simple Web search.

Huge Data Leak at Largest U.S. Bond Insurer



On Monday, KrebsOnSecurity notified the Municipal Bond Insurance Association — the nation’s largest bond insurer — that a misconfiguration in a company Web server had exposed countless customer account numbers, balances and other sensitive data. Much of the information had been indexed by search engines, including a page listing administrative credentials that attackers could use to access data that wasn’t already accessible via a simple Web search.