Posted by Kevin on August 29, 2014.
The ITsecurity daily security briefing: Friday, August 29, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.
Someone is telling porkies
Bloomberg followed up its first story on US bank breaches with: “Russian hackers attacked JPMorgan Chase & Co. (JPM) and at least four other banks this month in a coordinated assault that resulted in the loss of gigabytes of customer data, according to two people familiar with the investigation. At least one of the banks has linked the breach to Russian state-sponsored hackers, said one of the people.” Notice the ‘sensational’ elements: gigabytes of customer data and Russian state hackers.
But within hours, Reuters reported that the banks’ own alerting service said ‘nothing to see here, guys’. “An influential U.S. financial services industry group that shares information about cyber threats has said it is unaware of any “significant” cyber attacks, downplaying concerns about possible breaches at JPMorgan Chase & Co and other banks…. ‘There are no credible threats posed to the financial services sector at this time,’ the group said in an email to its members.”
BIFROSE Now More Evasive Through Tor, Used for Targeted Attack
Trend Micro has discovered the BIFROSE malware being used in a new targeted attack. “Since this variant uses Tor in communicating with its C&C server, being able to detect Tor activity within a network will help identify potential attacks within the network, among others.” Since it is unlikely that a company would sanction the use of Tor by its staff, Tor usage detection is a valuable tool in detecting potential infections by the increasing number of bots that hide behind The Onion Router.
Researchers Cracked the ‘Great Firewall’ in China
Researchers from Harvard and the University of California San Diego have monitored China’s national firewall by creating their own social network, posting a variety of messages, and noting what happens to them. Surprisingly, you seem able to criticize government officials, but you are not allowed to incite protest. “While the study has found some interesting details, it may be some time before the true extent of the firewall is understood.”
“Crypto Ransomware” CTB-Locker (Critroni.A) on the rise
Security researcher Kafeine has a detailed analysis of the Critroni cryptolocker. Although it was originally targeted against Russian users, it now seems more widely used; so although not new, it is a new threat to most of us.
Malware do not need Coffee:
Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks
Kaspersky Lab has a detailed analysis of Spam in July
The analysis shows the incidence of spam (it increased by 2.2% from June to 67% of all email traffic in July); the sources of spam (USA, Russia and China, in that order, are the leading sources); the malware contained in malicious spam (top villain was the Dofoil downloader); incidence of phishing (Kaspersky registered 20,157,877 detections in July); and much more. It is well worth a read to see if you are a likely target in the future.
How Google handles your data
This is Google’s own analysis of its behaviour. Privacy experts may disagree. “Google works hard to earn and keep [your] trust, and we want you to be aware of our achievements and commitments in each of these areas. To help answer some of the many questions we receive, we have created this FAQ. Be sure to check our pages on reliability, security, privacy, compliance and transparency.”
PITOU: The “silent” resurrection of the notorious Srizbi kernel spambot
F-Secure has published a report and analysis on PITOU/Srizbi. “We began monitoring the development of a mysterious malware that first emerged in early April 2014 when we noticed some intriguing features in the threat’s technical aspects. Further analysis revealed a close link to an old threat known as Srizbi, which infected machines and used them to send out spam email messages (in other words, a spambot).”
ICS Amsterdam 2014
SANS’ 2014 European ICS Security Summit will be held in Amsterdam, Netherlands on September 21st and 22nd. The Summit is followed by a week of in-depth, hands-on training courses running from September 23rd – 27th including SANS’ new specialist ICS course, ICS410.
Amsterdam, Netherlands | Sun, Sep 21 – Sat, Sep 27, 2014
Not all scams are cyber – this is phone
“Your caller ID says ‘FTC’ or ‘IRS,’ and the phone number has the ‘202’ Washington, DC area code. You might even look the number up and see that it’s a real government phone number. But the person calling isn’t really from the FTC, IRS, or any other agency. It’s a government imposter whose goal is to convince you to send money before you figure out it’s a scam.”