Posted by Kevin on September 30, 2014.
The ITsecurity daily security briefing: Tuesday, September 20, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.
FBI’s Malware Investigator (for the public) still pending
The FBI announced at Virus Bulletin 2014 that its Malware Investigator (a sort of souped-up law enforcement version of Virus Total) would be made available to the public. You can see a brief report on ThreatPost here.
But this is hardly new – you can get more details from an almost identical announcement back in February: “It’s not clear how the FBI plans on interfacing with the public in order to share malware samples. But Comey suggested Malware Investigator would offer a way to send a sample into the system and receive a report on it quickly. The idea, he said, is to gather intelligence from many sources on where certain types of malware-oriented cyberattacks may be occurring. It might act as a unified threat-reporting system.” (NetworkWorld)
When they eventually get round to it I’m hoping for two things. Firstly that they speed up delivery of the results (currently reports are returned “within as little as an hour” which is way too long for businesses concerned about malware on their networks); and secondly that they share the samples with the AV companies. If they don’t do the latter it will be virus developers rather than businesses that will use the new service. (Actually, I’d rather like to see an ‘s’ after ‘http’ on that URL as well – just for reassurance.)
Conservative policy towards the Human Rights Act has serious consequences for privacy and freedom of expression
Hawktalk, Amberhawk Training’s blog, reported yesterday that “Under plans to be unveiled tomorrow (Tuesday) at the Conservative Conference, Chris Grayling, Secretary of State at the Ministry of Justice, is expected to state that a future Conservative Government will introduce legislation that ensures that Human Rights cases are determined by Britain’s Supreme Court and not judges sitting in Strasbourg.”
Cameron is simply fed up with the EU imposing human rights on the UK people when he is trying to strip them away. He will attempt to disguise this under national jingoism saying that British Courts must be supreme in Britain, but the reality is that EU human rights is a bit of a problem for an authoritarian fascist-leaning (I say that advisedly) prime minister.
Hawktalk gives an example: “The dangers of this approach can be considered by reference to the DNA database and the case of UK v Marper which provides a timely example of Mr. Grayling’s policy at work. This case was considered by the House of Lords which judged that there were no human rights breach if the police retained indefinitely, personal data that represented the DNA profile of a data subject, even when the data subject had not been found guilty of an offence.
“The House of Lords judgment was overturned unanimously by the Grand Chamber of the European Court of Human Rights (ECHR); it was a 17-0 victory for Marper. This has resulted in the changes in UK law identified in the Protection of Freedoms Act 2012 and now the DNA database focuses on the guilty.”
Signed CryptoWall delivered via widespread malvertising campaign
On Sunday, Barracuda Labs reported that it had discovered a widespread malvertising campaign delivering the CryptoWall ransomware. The poison ads were being distributed by the Zedo ad network and affected at least five Alexa top-ranked websites. “Upon successful compromise, an instance of CryptoWall ransomware is installed on the victim’s system. The particular instance delivered via tonight’s campaign has a valid digital signature and appears to have been signed just hours before its distribution.”
Apple issues incomplete OS X patch for Shellshock
After first claiming that “”The vast majority of [Macintosh] OS X users are not at risk to recently reported ‘Bash’ vulnerabilities,” Apple has now released a patch for OS X Lion, Mountain Lion, and Mavericks.
Note, however, “Testing by ZDNet showed that while the patch fixed the issues outlined in the original CVE-2014-6271 report and CVE-2014-7169, OS X remains vulnerable to CVE-2014-7186.”
UK government demands suppliers meet cyber security standards
“Suppliers bidding for government contracts that require handling sensitive and personal information will need to comply with cyber security controls from 1 October.
“The government has developed Cyber Essentials – a set of controls to offer a ‘sound foundation of basic cyber hygiene measures which can significantly reduce a company’s vulnerability’.
“There are two levels of assurance available to satisfy the requirement – Cyber Essentials and Cyber Essentials Plus. Organisations assessed as successful in meeting the scheme’s requirements are awarded a certificate and are able to display the appropriate Cyber Essentials or Cyber Essentials Plus badge on their marketing material.
“Cabinet Office minister Francis Maude said: ‘It’s vital that we take steps to reduce the levels of cyber security risk in our supply chain. Cyber Essentials provides a cost-effective foundation of basic measures that can defend against the increasing threat of cyber attack.'”
Yet More IRS Employees Busted for Stealing Taxpayers’ Identities
“It’s hard to keep up with the privacy-threatening shenanigans at the Internal Revenue Service, but let’s give it a try. Just days after revealing that the tax agency’s failure to follow its own rulesput the private data of 1.4 million people at risk, the Treasury Inspector General for Tax Administration publicized the sentencing of Tax Examining Technician Missy Sledge for aggravated identity theft and mail fraud, and IRS employee Monica Hernandez for making and subscribing a false income tax return, wire fraud, and aggravated identity theft.”
WPScan Vulnerability Database
Ryan Dewhurst has launched a new WordPress vulnerability database. He blogged yesterday: “I am pleased to announce that I launched the WPScan Vulnerability Database, a WordPress Vulnerability Database, last week during the BruCON security conference in Ghent, Belgium. The WPScan Vulnerability Database’s development was funded by BruCON’s 5by5 project, talked about in aprevious post.
“The new vulnerability database will make WPScan’s database files more accessible to the public by presenting them in a more consumable manner within a web interface. This will also make the management of the vulnerabilities we have sourced over the years much easier. Within the new website there is the functionality to submit new vulnerabilities directly to us which are then moderated before being put live on the website. All issues entered into the WPScan Vulnerability Database is done manually.”
Dewhurst Security Blog:
TimThumb is No Longer Supported or Maintained
“A long time ago – when making our first premium WordPress theme, Darren and I made TimThumb. TimThumb has been amazing – but it’s also not been without it’s share of problems.
“In particular in 2010 there was a major security exploit found and it hurt a lot of websites, my own included. There are still people who are suffering because of it. I’ve felt incredibly guilty about this for years now, and so my enthusiasm for TimThumb has dropped to nothing…
“It feels a little sad to be writing this – but it’s also a huge weight off my mind. Now I can go back to making WordPress themes and video games in peace.”
Tibco Software Agrees to Sell Itself to a Private Equity Firm for $4.3 Billion
“Tibco Software, an enterprise software company based in Silicon Valley, has agreed to sell itself to Vista Equity Partners for $4.3 billion in the largest buyout in the technology industry this year.
“The sale comes after a difficult year for Tibco, which has faced declining profits and pressure from an activist investor to sell.
“In the most recent quarter, Tibco said profit fell to $1.5 million from more than $8.8 million in the period a year earlier. Tibco’s stock has fallen 23 percent in the last year.”
New York Times:
Submitted in: News |