Posted by Kevin on September 15, 2014.
The ITsecurity daily security briefing: Monday, September 15, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.
NEWS ONLY TODAY
Kafeine finds a new exploit kit
French researcher Kafeine has found and analysed a new exploit kit (which he calls Astrum) that he believes is currently only in private use. It focuses on Internet Explorer, filtering out other browsers, Tor, specified IPs and .RU in the process. The exploits it delivers are Flash, PDF, Silverlight and IE. Java is “It’s a trade of a now small percentage of infection for more stealth.”
Malware don’t need Coffee:
64-bit Version of MIRAS Used in Targeted Attack
Trend Micro has been looking at MIRAS which was used for the data exfiltration stage of a targeted attack against a European IT company. “Since attacks such as these are commonly designed to leave little to no tracks at all, it is important for IT administrators to know where possible indicators of a compromise can be found, or the “anomalies.” Examples of such anomalies are the presence of unknown large files, which are often indicators of a data breach and may need to be checked as it may contain data stolen from within the network. Attackers often store these files in their targets’ systems prior to the data exfiltration stage. One file indicator for MIRAS in the system is the presence of the file%System%/wbem/raswmi.dll.”
Freenode IRC compromised
Freenode issued the following statement on Saturday: “We have since identified that this was indicative of the server being compromised by an unknown third party. We immediately started an investigation to map the extent of the problem and located similar issues with several other machines and have taken those offline. For now, since network traffic may have been sniffed, we recommend that everyone change their NickServ password as a precaution.”
Law professors urge Brown to sign Drone Act
Last week, 41 law professors from across the US signed a letter urging Jerry. Brown (California) to sign the Bipartisan Drone Privacy Protection Act. “AB 1327 is a sensible solution that will allow us to provide a safer community for all without sacrificing the privacy of innocent Californians. California should join Florida, Idaho, Illinois, Indiana, Iowa, Montana, Oregon, Tennessee, Utah, and Wisconsin in passing legislation to require a warrant for law enforcement use except under specific circumstances.”
Letter to Jerry Brown:
Man’s porn conviction overturned due to sweeping NCIS search
A Washington State man’s conviction for possessing and distributing child pornography was overturned last week on appeal. The man had been discovered after an NCIS agent hacked civilian computers looking for evidence. “The ruling said the search was so sweeping, it shows ‘a profound lack of regard for the important limitations on the role of the military in our civilian society.’ It noted ‘abundant evidence’ that the Navy frequently hacks into civilian computer to search for evidence of child pornography and turn it over to the police if the computer owner has no relation to the military.”
Stars and Stripes:
Treasure Map: The NSA Breach of Telekom and Other German Firms
Spiegel has published Snowden documents showing the NSA/GCHQ tapped into Deutsche Telekom and Netcologne as part of the ‘Treasure Map’ project to map the entire Internet. Deutsche Telekom has cables that run via Britain; Netcologne however is a German local provider. “Because Netcologne is a regional provider, it would seem highly likely that the NSA or one of its Treasure Map partners accessed the network from within Germany. That would be a clear violation of German law and potentially another NSA-related case for German public prosecutors. Thus far, the only NSA-related casecurrently being investigated is the monitoring of Chancellor Angela Merkel’s mobile phone.”
WikiLeaks provides more information on FinFisher
“WikiLeaks conservatively estimates FinFisher’s revenue from these sales to amount to around €50,000,000. Within the full list of customers, it’s worth noticing that among the largest is Mongolia, which has been recently selected as new Chair of the Freedom Online Coalition…
Some customers were identified through the analysis of support requests and attached documents they provided to FinFisher support. This included Slovakia, Mongolia, Qatar State Security, South Africa, Bahrain, Pakistan, Estonia, Vietnam, Australia NSW Police, Belgium, Nigeria, Netherlands KLPD, PCS Security in Singapore, Bangladesh, Secret Services of Hungary, Italy and Bosnia & Herzegovina Intelligence.”
New sparks fly between CIA, Senate Intelligence Committee
McClatchy reports that tension between the CIA and the Senate Intelligence Committee remains high, with the CIA refusing to say who authorized spying on the committee. “After the meeting, several senators were so incensed at Brennan that they confirmed the row and all but accused the nation’s top spy of defying Congress. ‘I’m concerned there’s disrespect towards the Congress,’ Sen. Carl Levin, D-Mich., who also serves as chairman of the Senate Armed Services Committee, told McClatchy. ‘I think it’s arrogant, I think it’s unacceptable.’”
Holder Says Private Suit Risks State Secrets
Attorney General Eric Holder has invoked ‘state-secrets privilege’ to demand a private law suit be dropped. “A Greek shipping magnate, accuses United Against Nuclear Iran of falsely accusing him of doing business with Iran. The businessman, Victor Restis, subpoenaed the group for its donor list and all information it had collected about him. That was when the Justice Department stepped in.” It is unclear what state secrets a non-government private pressure group could be holding, when it should be none.
The New York Times:
A messy New Zealand election just got messier
Edward Snowden writes today: “Let me be clear: any statement that mass surveillance is not performed in New Zealand, or that the internet communications are not comprehensively intercepted and monitored, or that this is not intentionally and actively abetted by the GCSB, is categorically false. If you live in New Zealand, you are being watched. At the NSA I routinely came across the communications of New Zealanders in my work with a mass surveillance tool we share with GCSB, called ‘XKEYSCORE’.” In other words, prime minister John Key has been lying to the people.
Snowden in The Intercept:
Inspiration Mining Corporation (T.ISM) pump-and-dump spam
Dynamoo warns about a current pump and dump scam. The relevant email reads: “I have a new stock recommendation for you. The company is called inspirationmining and it’s trading in canada under the symbol ISM. Currently it’s priced at right under 10 cents but by next week it should hit 30 or 40 even. I know this because my wife’s uncle is the geologist at the company and they literaly just struck gold. Move quickly on this.” Dynamoo comments: “The pump and dump spam does seem to have raised the stock price from about 7.5 cents to 10.5 cents [source] but the chances are that the stock is worth much closer to zero. Avoid.”
Submitted in: News |