Tuesday, December 27, 2016

BofA Corporate Headquarters

In case you are wondering (not likely, but just in case) in 1997 Bank of America moved it corporate headquarters from San Francisco to Charlotte NC not for financial reasons, but for the political pressures being placed on it by the City of San Francisco.

Charlotte should be very careful, it is one thing to loose an event it is another to loose businesses all together.

As an aside, here is what the City of San Francisco passed last week.

Source: http://sfbaytimes.com/san-franciscos-official-response-to-the-election-of-trump/



WHEREAS, On November 8, 2016, Donald Trump was elected to become the 45th President of the United States; now, therefore, be it

RESOLVED, That no matter the threats made by President-elect Trump, San Francisco will remain a Sanctuary City. We will not turn our back on the men and women from other countries who help make this city great, and who represent over one third of our population. This is the Golden Gate—we build bridges, not walls; and, be it

FURTHER RESOLVED, That we will never back down on women’s rights, whether in healthcare, the workplace, or any other area threatened by a man who treats women as obstacles to be demeaned or objects to be assaulted. And just as important, we will ensure our young girls grow up with role models who show them they can be or do anything; and, be it

FURTHER RESOLVED, That there will be no conversion therapy, no withdrawal of rights in San Francisco. We began hosting gay weddings twelve years ago, and we are not stopping now. And to all the LGBTQ people all over the country who feel scared, bullied, or alone: You matter. You are seen; you are loved; and San Francisco will never stop fighting for you; and, be it

FURTHER RESOLVED, That we still believe in this nation’s founding principle of religious freedom. We do not ban people for their faith. And the only lists we keep are on invitations to come pray together; and, be it

FURTHER RESOLVED, That Black Lives Matter in San Francisco, even if they may not in the White House. And guided by President Obama’s Task Force on 21st Century Policing, we will continue reforming our police department and rebuilding trust between police and communities of color so all citizens feel safe in their neighborhoods; and, be it

FURTHER RESOLVED, That climate change is not a hoax, or a plot by the Chinese. In this city, surrounded by water on three sides, science matters. And we will continue our work on CleanPower, Zero Waste, and everything else we are doing to protect future generations; and, be it

FURTHER RESOLVED, That we have been providing universal health care in this city for nearly a decade, and if the new administration follows through on its callous promise to revoke health insurance from 20 million people, San Franciscans will be protected; and, be it

FURTHER RESOLVED, That we are the birthplace of the United Nations, a city made stronger by the thousands of international visitors we welcome every day. We will remain committed to internationalism and to our friends and allies around the world—whether the administration in Washington is or not; and, be it

FURTHER RESOLVED, That San Francisco will remain a Transit First city and will continue building Muni and BART systems we can all rely upon, whether this administration follows through on its platform to eliminate federal transit funding or not; and, be it

FURTHER RESOLVED, That California is the sixth largest economy in the world. The Bay Area is the innovation capital of the country. We will not be bullied by threats to revoke our federal funding, nor will we sacrifice our values or members of our community for your dollar; and, be it

FURTHER RESOLVED, That we condemn all hate crimes and hate speech perpetrated in this election’s wake. That although the United States will soon have a President who has demonstrated a lack of respect for the values we hold in the highest regard in San Francisco, it cannot change who we are, and it will never change our values. We argue, we campaign, we debate vigorously within San Francisco, but on these points we are 100 percent united. We will fight discrimination and recklessness in all its forms. We are one City. And we will move forward together
Posted by at No comments:
Labels: , , , ,

Fake Phone Apps Designed To Take Your Money

Apparently there is a very large increase in the number of smart phone apps that are designed to do one thing, steal your banking information and the rob you blind.

According to an alert published last week by the Federal Trade Commission these apps are designed to look like stores you already trust.

Source: https://www.consumer.ftc.gov/blog/theres-app-it-might-be-fake

Read the information on the link above - knowledge is power.


Posted by at No comments:
Labels: , , ,

Thursday, September 15, 2016

Cisco Releases Security Updates

Cisco has released security updates to address vulnerabilities in several products. Exploitation of some of these vulnerabilities could allow a remote attacker to take control of an affected system.
Users and administrators are encouraged to review the following Cisco Security Advisories and apply the necessary updates:


Source: https://www.us-cert.gov/ncas/current-activity/2016/09/15/Cisco-Releases-Security-Updates
Posted by at No comments:
Labels: , , ,

Wednesday, September 7, 2016

The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations

SOURCE: https://www.us-cert.gov/ncas/alerts/TA16-250A


Systems Affected

Network Infrastructure Devices
 

Overview

The advancing capabilities of organized hacker groups and cyber adversaries create an increasing global threat to information systems. The rising threat levels place more demands on security personnel and network administrators to protect information systems. Protecting the network infrastructure is critical to preserve the confidentiality, integrity, and availability of communication and services across an enterprise.
To address threats to network infrastructure devices, this Alert provides information on recent vectors of attack that advanced persistent threat (APT) actors are targeting, along with prevention and mitigation recommendations.
 

Description

Network infrastructure consists of interconnected devices designed to transport communications needed for data, applications, services, and multi-media. Routers and firewalls are the focus of this alert; however, many other devices exist in the network, such as switches, load-balancers, intrusion detection systems, etc. Perimeter devices, such as firewalls and intrusion detection systems, have been the traditional technologies used to secure the network, but as threats change, so must security strategies. Organizations can no longer rely on perimeter devices to protect the network from cyber intrusions; organizations must also be able to contain the impact/losses within the internal network and infrastructure.
For several years now, vulnerable network devices have been the attack-vector of choice and one of the most effective techniques for sophisticated hackers and advanced threat actors. In this environment, there has never been a greater need to improve network infrastructure security. Unlike hosts that receive significant administrative security attention and for which security tools such as anti-malware exist, network devices are often working in the background with little oversight—until network connectivity is broken or diminished. Malicious cyber actors take advantage of this fact and often target network devices. Once on the device, they can remain there undetected for long periods. After an incident, where administrators and security professionals perform forensic analysis and recover control, a malicious cyber actor with persistent access on network devices can reattack the recently cleaned hosts. For this reason, administrators need to ensure proper configuration and control of network devices.

Proliferation of Threats to Information Systems

SYNful Knock

In September 2015, an attack known as SYNful Knock was disclosed. SYNful Knock silently changes a router’s operating system image, thus allowing attackers to gain a foothold on a victim’s network. The malware can be customized and updated once embedded. When the modified malicious image is uploaded, it provides a backdoor into the victim’s network. Using a crafted TCP SYN packet, a communication channel is established between the compromised device and the malicious command and control (C2) server. The impact of this infection to a network or device is severe and most likely indicates that there may be additional backdoors or compromised devices on the network. This foothold gives an attacker the ability to maneuver and infect other hosts and access sensitive data.
The initial infection vector does not leverage a zero-day vulnerability. Attackers either use the default credentials to log into the device or obtain weak credentials from other insecure devices or communications. The implant resides within a modified IOS image and, when loaded, maintains its persistence in the environment, even after a system reboot. Any further modules loaded by the attacker will only exist in the router’s volatile memory and will not be available for use after the device reboots. However, these devices are rarely or never rebooted.
To prevent the size of the image from changing, the malware overwrites several legitimate IOS functions with its own executable code. The attacker examines the functionality of the router and determines functions that can be overwritten without causing issues on the router. Thus, the overwritten functions will vary upon deployment.
The attacker can utilize the secret backdoor password in three different authentication scenarios. In these scenarios the implant first checks to see if the user input is the backdoor password. If so, access is granted. Otherwise, the implanted code will forward the credentials for normal verification of potentially valid credentials. This generally raises the least amount of suspicion. Cisco has provided an alert on this attack vector. For more information, see the Cisco SYNful Knock Security Advisory (link is external).
Other attacks against network infrastructure devices have also been reported, including more complicated persistent malware that silently changes the firmware on the device that is used to load the operating system so that the malware can inject code into the running operating system. For more information, please see Cisco's description of the evolution of attacks on Cisco IOS devices (link is external).

Cisco Adaptive Security Appliance (ASA)

A Cisco ASA device is a network device that provides firewall and Virtual Private Network (VPN) functionality. These devices are often deployed at the edge of a network to protect a site’s network infrastructure, and to give remote users access to protected local resources.
In June 2016, NCCIC received several reports of compromised Cisco ASA devices that were modified in an unauthorized way. The ASA devices directed users to a location where malicious actors tried to socially engineer the users into divulging their credentials.
It is suspected that malicious actors leveraged CVE-2014-3393 to inject malicious code into the affected devices. The malicious actor would then be able to modify the contents of the Random Access Memory Filing System (RAMFS) cache file system and inject the malicious code into the appliance’s configuration. Refer to the Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software (link is external)for more information and for remediation details.
In August 2016, a group known as “Shadow Brokers” publicly released a large number of files, including exploitation tools for both old and newly exposed vulnerabilities. Cisco ASA devices were found to be vulnerable to the released exploit code. In response, Cisco released an update to address a newly disclosed Cisco ASA Simple Network Management Protocol (SNMP) remote code execution vulnerability (CVE-2016-6366). In addition, one exploit tool targeted a previously patched Cisco vulnerability (CVE-2016-6367). Although Cisco provided patches (link is external) to fix this Cisco ASA command-line interface (CLI) remote code execution vulnerability in 2011, devices that remain unpatched are still vulnerable to the described attack. Attackers may target vulnerabilities for months or even years after patches become available.

Impact

If the network infrastructure is compromised, malicious hackers or adversaries can gain full control of the network infrastructure enabling further compromise of other types of devices and data and allowing traffic to be redirected, changed, or denied. Possibilities of manipulation include denial-of-service, data theft, or unauthorized changes to the data.
Intruders with infrastructure privilege and access can impede productivity and severely hinder re-establishing network connectivity. Even if other compromised devices are detected, tracking back to a compromised infrastructure device is often difficult.
Malicious actors with persistent access to network devices can reattack and move laterally after they have been ejected from previously exploited hosts.
 

Solution

1.    Segregate Networks and Functions

Proper network segmentation is a very effective security mechanism to prevent an intruder from propagating exploits or laterally moving around an internal network. On a poorly segmented network, intruders are able to extend their impact to control critical devices or gain access to sensitive data and intellectual property. Security architects must consider the overall infrastructure layout, segmentation, and segregation. Segregation separates network segments based on role and functionality. A securely segregated network can contain malicious occurrences, reducing the impact from intruders, in the event that they have gained a foothold somewhere inside the network.
Physical Separation of Sensitive Information
Local Area Network (LAN) segments are separated by traditional network devices such as routers. Routers are placed between networks to create boundaries, increase the number of broadcast domains, and effectively filter users’ broadcast traffic. These boundaries can be used to contain security breaches by restricting traffic to separate segments and can even shut down segments of the network during an intrusion, restricting adversary access.
Recommendations:
  • Implement Principles of Least Privilege and need-to-know when designing network segments.
  • Separate sensitive information and security requirements into network segments.
  • Apply security recommendations and secure configurations to all network segments and network layers.
Virtual Separation of Sensitive Information        
As technologies change, new strategies are developed to improve IT efficiencies and network security controls. Virtual separation is the logical isolation of networks on the same physical network. The same physical segmentation design principles apply to virtual segmentation but no additional hardware is required. Existing technologies can be used to prevent an intruder from breaching other internal network segments.
Recommendations:
  • Use Private Virtual LANs to isolate a user from the rest of the broadcast domains.
  • Use Virtual Routing and Forwarding (VRF) technology to segment network traffic over multiple routing tables simultaneously on a single router.
  • Use VPNs to securely extend a host/network by tunneling through public or private networks.


2.    Limit Unnecessary Lateral Communications

Allowing unfiltered workstation-to-workstation communications (as well as other peer-to-peer communications) creates serious vulnerabilities, and can allow a network intruder to easily spread to multiple systems. An intruder can establish an effective “beach head” within the network, and then spread to create backdoors into the network to maintain persistence and make it difficult for defenders to contain and eradicate.
Recommendations:
  • Restrict communications using host-based firewall rules to deny the flow of packets from other hosts in the network. The firewall rules can be created to filter on a host device, user, program, or IP address to limit access from services and systems.
  • Implement a VLAN Access Control List (VACL), a filter that controls access to/from VLANs. VACL filters should be created to deny packets the ability to flow to other VLANs.
  • Logically segregate the network using physical or virtual separation allowing network administrators to isolate critical devices onto network segments.
     

3.    Harden Network Devices

A fundamental way to enhance network infrastructure security is to safeguard networking devices with secure configurations. Government agencies, organizations, and vendors supply a wide range of resources to administrators on how to harden network devices. These resources include benchmarks and best practices. These recommendations should be implemented in conjunction with laws, regulations, site security policies, standards, and industry best practices. These guides provide a baseline security configuration for the enterprise that protects the integrity of network infrastructure devices. This guidance supplements the network security best practices supplied by vendors.
Recommendations:
  • Disable unencrypted remote admin protocols used to manage network infrastructure (e.g., Telnet, FTP).
  • Disable unnecessary services (e.g. discovery protocols, source routing, HTTP, SNMP, BOOTP).
  • Use SNMPv3 (or subsequent version) but do not use SNMP community strings.
  • Secure access to the console, auxiliary, and VTY lines.
  • Implement robust password policies and use the strongest password encryption available.
  • Protect router/switch by controlling access lists for remote administration.
  • Restrict physical access to routers/switches.
  • Backup configurations and store offline. Use the latest version of the network device operating system and update with all patches.
  • Periodically test security configurations against security requirements.
  • Protect configuration files with encryption and/or access controls when sending them electronically and when they are stored and backed up.
     

4.    Secure Access to Infrastructure Devices

Administrative privileges on infrastructure devices allow access to resources that are normally unavailable to most users and permit the execution of actions that would otherwise be restricted. When administrator privileges are improperly authorized, granted widely, and/or not closely audited, intruders can exploit them. These compromised privileges can enable adversaries to traverse a network, expanding access and potentially allowing full control of the infrastructure backbone. Unauthorized infrastructure access can be mitigated by properly implementing secure access policies and procedures.
Recommendations:
  • Implement Multi-Factor Authentication – Authentication is a process to validate a user’s identity. Weak authentication processes are commonly exploited by attackers. Multi-factor authentication uses at least two identity components to authenticate a user’s identity. Identity components include something the user knows (e.g., password); an object the user has possession of (e.g., token); and a trait unique to the specific person (e.g., biometric).
  • Manage Privileged Access – Use an authorization server to store access information for network device management. This type of server will enable network administrators to assign different privilege levels to users based on the principle of least privilege. When a user tries to execute an unauthorized command, it will be rejected. To increase the strength and robustness of user authentication, implement a hard token authentication server in addition to the AAA server, if possible. Multi-factor authentication increases the difficulty for intruders to steal and reuse credentials to gain access to network devices.
  • Manage Administrative Credentials – Although multi-factor authentication is highly recommended and a best practice, systems that cannot meet this requirement can at least improve their security level by changing default passwords and enforcing complex password policies. Network accounts must contain complex passwords of at least 14 characters from multiple character domains including lowercase, uppercase, numbers, and special characters. Enforce password expiration and reuse policies. If passwords are stored for emergency access, keep these in a protected off-network location, such as a safe.
     

5.    Perform Out-of-Band Management

Out-of-Band (OoB) management uses alternate communication paths to remotely manage network infrastructure devices. These dedicated paths can vary in configuration to include anything from virtual tunneling to physical separation. Using OoB access to manage the network infrastructure will strengthen security by limiting access and separating user traffic from network management traffic. OoB management provides security monitoring and can implement corrective actions without allowing the adversary who may have already compromised a portion of the network to observe these changes.
OoB management can be implemented physically or virtually, or through a hybrid of the two. Building additional physical network infrastructure is the most secure option for the network managers, although it can be very expensive to implement and maintain. Virtual implementation is less costly, but still requires significant configuration changes and administration. In some situations, such as access to remote locations, virtual encrypted tunnels may be the only viable option.
Recommendations:
  • Segregate standard network traffic from management traffic.
  • Enforce that management traffic on devices only comes from the OoB.
  • Apply encryption to all management channels.
  • Encrypt all remote access to infrastructure devices such as terminal or dial-in servers.
  • Manage all administrative functions from a dedicated host (fully patched) over a secure channel, preferably on the OoB.
  • Harden network management devices by testing patches, turning off unnecessary services on routers and switches, and enforcing strong password policies. Monitor the network and review logs Implement access controls that only permit required administrative or management services (SNMP, NTP SSH, FTP, TFTP).
     

6.    Validate Integrity of Hardware and Software

Products purchased through unauthorized channels are often known as “counterfeit,” “secondary,” or “grey market” devices. There have been numerous reports in the press regarding grey market hardware and software being introduced into the marketplace. Grey market products have not been thoroughly tested to meet quality standards and can introduce risks to the network. Lack of awareness or validation of the legitimacy of hardware and software presents a serious risk to users’ information and the overall integrity of the network environment. Products purchased from the secondary market run the risk of having the supply chain breached, which can result in the introduction of counterfeit, stolen, or second-hand devices. This could affect network performance and compromise the confidentiality, integrity, or availability of network assets. Furthermore, breaches in the supply chain provide an opportunity for malicious software or hardware to be installed on the equipment. In addition, unauthorized or malicious software can be loaded onto a device after it is in operational use, so integrity checking of software should be done on a regular basis.
Recommendations:
  • Maintain strict control of the supply chain; purchase only from authorized resellers.
  • Require resellers to implement a supply chain integrity check to validate hardware and software authenticity.
  • Inspect the device for signs of tampering.
  • Validate serial numbers from multiple sources.
  • Download software, updates, patches, and upgrades from validated sources.
  • Perform hash verification and compare values against the vendor’s database to detect unauthorized modification to the firmware.
  • Monitor and log devices, verifying network configurations of devices on a regular schedule.
  • Train network owners, administrators, and procurement personnel to increase awareness of grey market devices.

Shadow Broker Exploits
VendorCVEExploit NameVulnerability
FortinetCVE-2016-6909   EGREGIOUSBLUNDERAuthentication cookie overflow
WatchGuard   CVE-2016-7089ESCALATEPLOWMANCommand line injection via ipconfig
CiscoCVE-2016-6366EXTRABACONSNMP remote code execution
CiscoCVE-2016-6367EPICBANANACommand line injection remote code execution
CiscoN/ABENIGNCERTAIN/PIXPOCKET   Information/memory leak
TOPSECN/AELIGIBLEBACHELORAttack vector unknown, but has an XML-like payload
beginning with <?tos length="001e.%8.8x"?
TOPSECN/AELIGIBLEBOMBSHELLHTTP cookie command injection
TOPSECN/AELIGIBLECANDIDATEHTTP cookie command injection
TOPSECN/AELIGIBLECONTESTANTHTTP POST parameter injection
Posted by at No comments:
Labels: , ,

Tuesday, September 6, 2016

Bayer buying Monsanto

Source: http://tinyurl.com/hdxokfz




ST. LOUIS--()--Monsanto Company (NYSE:MON) confirmed it has been engaged in constructive negotiations with Bayer AG, during which it has received an updated non-binding proposal for a potential acquisition of Monsanto for $127.50 per share in cash. Monsanto is continuing these conversations as it evaluates this proposal, as well as proposals from other parties and other strategic alternatives to enable its Board of Directors to determine if a transaction in the best interests of its shareowners can be realized.


Monsanto will have no further comment at this time. There is no assurance that any transaction will be entered into or consummated, or on what terms.
   
Morgan Stanley & Co. and Ducera Partners are acting as financial advisors, and Wachtell, Lipton, Rosen & Katz is acting as legal advisor to Monsanto.
Posted by at No comments:
Labels: ,

Friday, September 2, 2016

Shhh... Don't express yourself.

YouTube Declares War on Politically Incorrect Opinions. http://tiny.iavian.net/c3av Download

Posted by at No comments:

Guccifer Gone

Romanian hacker 'Guccifer' sentenced to 52 months in U.S. prison. http://tiny.iavian.net/c3c1

Posted by at No comments:
Labels:

Millions of Dead Bees

‘Like it’s been nuked’: Millions of bees dead after South Carolina sprays for Zika mosquitoes. http://tiny.iavian.net/c37i

Posted by at No comments:
Labels:

Wednesday, August 24, 2016

Liberty Mutual uses LAWTRAC

Liberty Mutual accuses back clinic Marque Medicos of workers comp insurance fraud, demands $17 million http://cookcountyrecord.com/stories/510997776-liberty-mutual-accuses-back-clinic-marque-medicos-of-workers-comp-insurance-fraud-demands-17-million
Posted by at No comments:

FTC Releases Alert on Louisiana Flood Disaster Scams

Source:  https://www.us-cert.gov/ncas/current-activity/2016/08/23/FTC-Releases-Alert-Louisiana-Flood-Disaster-Scams




The Federal Trade Commission (FTC) has released an alert on scams that cite the recent flood disaster in Louisiana. These charity scams take many forms, including emails containing links or attachments that direct users to phishing or malware-infected websites. Donation requests from fraudulent charitable organizations commonly appear after major natural disasters.

US-CERT encourages users to take the following measures to protect themselves:

  • Review the FTC alert and its information on Charity Scams.
  • Do not follow unsolicited web links or attachments in email messages.
  • Keep antivirus and other computer software up-to-date.
  • Check this Better Business Bureau (BBB) list for helping Louisiana flood victims before making any donations to this cause.
  • Verify the legitimacy of any email solicitation by contacting the organization directly through a trusted contact number. You can find trusted contact information for many charities on the BBB National Charity Report Index.
  • Refer to Security Tip ST04-014 – Avoiding Social Engineering and Phishing Attacks – for more information on social engineering attacks.
Posted by at No comments:

LAWTRAC and Teach for America

Mitratech Releases Getting to the Core of Legal Efficiency at Teach For America http://www.marketwired.com/press-release/mitratech-releases-getting-to-the-core-of-legal-efficiency-at-teach-for-america-2152837.htm
Posted by at No comments:
Labels: ,

Tuesday, July 12, 2016

Ransomware

Source: https://www.us-cert.gov/ncas/alerts/TA16-091A

Ransomware and Recent Variants

Overview

In early 2016, destructive ransomware variants such as Locky and Samas were observed infecting computers belonging to individuals and businesses, which included healthcare facilities and hospitals worldwide. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it.
The United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), is releasing this Alert to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.

Description

WHAT IS RANSOMWARE?

Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems. Ransomware variants have been observed for several years and often attempt to extort money from victims by displaying an on-screen alert. Typically, these alerts state that the user’s systems have been locked or that the user’s files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The ransom demanded from individuals varies greatly but is frequently $200–$400 dollars and must be paid in virtual currency, such as Bitcoin.
Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.
Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access into an organization’s network.

WHY IS IT SO EFFECTIVE?

The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and users systems can become infected with additional malware. Ransomware displays intimidating messages similar to those below:
  • “Your computer has been infected with a virus. Click here to resolve the issue.”
  • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

PROLIFERATION OF VARIANTS

In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.
This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced, including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives. These variants are considered destructive because they encrypt users’ and organizations’ files, and render them useless until criminals receive a ransom.
In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to healthcare facilities and hospitals in the United States, New Zealand, and Germany. It propagates through spam emails that include malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip). The malicious attachments contain macros or JavaScript files to download Ransomware-Locky files.
Samas, another variant of destructive ransomware, was used to compromise the networks of healthcare facilities in 2016. Unlike Locky, Samas propagates through vulnerable Web servers. After the Web server was compromised, uploaded Ransomware-Samas files were used to infect the organization’s networks.

LINKS TO OTHER TYPES OF MALWARE

Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.
The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.

Impact

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including
  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.
Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution

Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.
US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:
  • Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum protection.
  • Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
  • Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
  • Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
  • Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
  • Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits and Safeguarding Your Data for additional details.
  • Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks or the Security Publication on Ransomware for more information.
Individuals or organizations are discouraged from paying the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center.

References

Revisions

  • March 31, 2016: Initial publication
  • May 6, 2016: Clarified guidance on offline backups
  • July 11, 2016: Added link to governmental interagency guidance on ransomware
Posted by at No comments:
Labels: , ,

Thursday, June 2, 2016

Lenovo Accelerator Application Insecure Update Mechanism


Don't believe the rumor, this does not apply to ThinkPad or ThinkStation laptops.

Source: https://support.lenovo.com/us/en/product_security/len_6718


A vulnerability was identified in the Lenovo Accelerator Application software which could lead to exploitation by an attacker with man-in-the-middle capabilities. The vulnerability resides within the update mechanism where a Lenovo server is queried to identify if application updates are available.
The Lenovo Accelerator Application is used to speed up the launch of Lenovo applications and was installed in some notebook and desktop systems preloaded with the Windows 10 operating system.




Lenovo Security Advisory: LEN-6718



Potential Impact: Remote code execution by an attacker with local network access


Severity: High


Scope of Impact: Lenovo products described below


Mitigation Strategy for Customers (what you should do to protect yourself):
Lenovo recommends customers uninstall Lenovo Accelerator Application by going to the “Apps and Features” application in Windows 10, selecting Lenovo Accelerator Application and clicking on “Uninstall”.


Product Impact:
The Lenovo Accelerator Application was installed on some consumer notebook and desktop systems preloaded with the Windows 10 operating system.





Posted by at No comments:
Labels: , , ,

Wednesday, June 1, 2016

Mitratech - Lawtrac Video


Posted by at No comments:

Mitratech - Lawtrac Whiteboard Video


Posted by at No comments:

Wednesday, April 20, 2016

MySQL Users - Update Your Servers Now


Source: Oracle


Oracle kind-a 'hid' the fact that some major security vulnerabilities were found in their MySQL product by listing the effected versions way at the bottom of their Critical Patch Advisory for April 2016.


From Oracle:



Description
A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:
Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.
Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.
This Critical Patch Update contains 136 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at https://blogs.oracle.com/security.
Please note that on March 23, 2016, Oracle released Security Alert for Java SE for CVE-2016-0636. Customers of affected Oracle product(s) are strongly advised to apply the fixes that were announced for CVE-2016-0636.
Please also note that the vulnerabilities in this Critical Patch Update are scored using versions 3.0 and 2.0 of Common Vulnerability Scoring Standard (CVSS). Future Critical Patch Updates and Security Alerts will be scored using CVSS version 3.0 only.
This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available here.









Posted by at No comments:
Labels: , , , , ,

Monday, April 18, 2016

Urgent - Uninstall Quick Time

REF: US-CERT


Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced

   

Microsoft Windows with Apple QuickTime installed

Overview

According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation. [1] (link is external)

Description

All software products have a lifecycle. Apple will no longer be providing security updates for QuickTime for Windows. [1] (link is external)
The Zero Day Initiative has issued advisories for two vulnerabilities found in QuickTime for Windows. [2] (link is external) [3] (link is external)

Impact

Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems.

Solution

Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows. Users can find instructions for uninstalling QuickTime for Windows on the Apple Uninstall QuickTime (link is external) page. [4]

References

Posted by at No comments:
Labels: , , , ,

Tuesday, April 12, 2016

Old Mill Pens Intro

Posted by at No comments:

Thursday, April 7, 2016

FTC Alert: Tech-Support Scams

Source: US-CERT
The Federal Trade Commission (FTC) has released an alert on tech-support themed telephone scams. In these schemes, fraudulent callers claim to be from legitimate technical support organizations and offer to fix computer problems that don't exist. Users should not give control of their computers to anyone who calls offering to "fix" a problem.
By: Andrew Johnson 
Division of Consumer and Business Education, FTC

There’s a new twist on tech-support scams — you know, the one where crooks try to get access to your computer or sensitive information by offering to “fix” a computer problem that doesn’t actually exist. Lately, we’ve heard reports that people are getting calls from someone claiming to be from the Global Privacy Enforcement Network. Their claim? That your email account has been hacked and is sending fraudulent messages. They say they’ll have to take legal action against you, unless you let them fix the problem right away.

If you raise questions, the scammers turn up the pressure – but they’ve also given out phone numbers of actual Federal Trade Commission staff (who have been surprised to get calls). The scammers also have sent people to the actual website for the Global Privacy Enforcement Network. (It’s a real thing: it’s an organization that helps governments work together on cross-border privacy cooperation.)

Here are few things to remember if you get any kind of tech-support call, no matter who they say they are:

  • Don’t give control of your computer to anyone who calls you offering to “fix” your computer.
  • Never give out or confirm your financial or sensitive information to anyone who contacts you.
  • Getting pressure to act immediately? That’s a sure sign of a scam. Hang up.
  • If you have concerns, contact your security software company directly. Use contact information you know is right, not what the caller gives you.

Posted by at No comments:
Labels: , ,

Friday, April 1, 2016

Armor Welcomes New Chief Marketing Officer Diana Massaro

About Armor
The leader in active cyber defense, Armor offers customer-centric security outcomes for retail and eCommerce enterprises, healthcare organizations, payment leaders and financial institutions. Armor protects highly sensitive data for the most security-conscious companies in the world. With its proven cybersecurity approach and proprietary cloud infrastructure built specifically for security, compliance and performance, responsible businesses choose Armor to reduce their risk.


Armor Welcomes New Chief Marketing Officer Diana Massaro
Posted by at No comments:
Labels: ,

Jim's Soapbox: Ransomware and Recent Variants

Jim's Soapbox: Ransomware and Recent Variants: Source: US_CERT WHAT IS RANSOMWARE? Ransomware is a type of malware that infects computer systems, restricting users’ access to the ...
Posted by at No comments:

Reuters Headlines

Posted by at No comments:
Labels:

Ransomware and Recent Variants

Source: US_CERT


WHAT IS RANSOMWARE?

Ransomware is a type of malware that infects computer systems, restricting users’ access to the infected systems. Ransomware variants have been observed for several years and often attempt to extort money from victims by displaying an on-screen alert. Typically, these alerts state that the user’s systems have been locked or that the user’s files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The ransom demanded from individuals varies greatly but is frequently $200–$400 dollars and must be paid in virtual currency, such as Bitcoin.
Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.
Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access into an organization’s network.

WHY IS IT SO EFFECTIVE?

The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and users systems can become infected with additional malware. Ransomware displays intimidating messages similar to those below:
  • “Your computer has been infected with a virus. Click here to resolve the issue.”
  • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

PROLIFERATION OF VARIANTS

In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.


This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced, including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives. These variants are considered destructive because they encrypt users’ and organizations’ files, and render them useless until criminals receive a ransom.


In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to healthcare facilities and hospitals in the United States, New Zealand, and Germany. It propagates through spam emails that include malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip). The malicious attachments contain macros or JavaScript files to download Ransomware-Locky files.


Samas, another variant of destructive ransomware, was used to compromise the networks of healthcare facilities in 2016. Unlike Locky, Samas propagates through vulnerable Web servers. After the Web server was compromised, uploaded Ransomware-Samas files were used to infect the organization’s networks.

LINKS TO OTHER TYPES OF MALWARE

Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.


The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.

Impact

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including
  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.
Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution

Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.
US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:
  • Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
  • Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
  • Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
  • Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
  • Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits and Safeguarding Your Data for additional details.
  • Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks for more information.
Individuals or organizations are discouraged from paying the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center.

References

Posted by at No comments:
Labels: , ,

Thursday, March 31, 2016

Reuters Headlines

Posted by at No comments:
Labels:

Thursday, March 10, 2016

Cisco Cable Modem with Digital Voice Remote Code Execution Vulnerability


Source: Cisco


A vulnerability in the web server used in the Cisco Cable Modem with Digital Voice Model DPC2203 could allow an unauthenticated, remote attacker to exploit a buffer overflow and cause arbitrary code execution.
The vulnerability is due to improper input validation for HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device.
Cisco has released software updates to its service provider customers that address the vulnerability described in this advisory. Prior to contacting Cisco TAC, customers are advised to contact their service providers to confirm the software deployed by the service provider includes the fix that addresses this vulnerability. Workarounds that mitigate this vulnerability are not available.

This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160309-cmre

Affected Products

  • Vulnerable Products

    The following Cisco product are vulnerable:
    • Cisco Cable Modem with Digital Voice Model DPC2203
    • Cisco Cable Modem with Digital Voice Model EPC2203

    Products Confirmed Not Vulnerable

    No other Cisco products are currently known to be affected by this vulnerability.

Workarounds

  • There are no workarounds that address this vulnerability.

Fixed Software

  • Cisco has released software updates to its service provider customers that address the vulnerability described in this advisory. Prior to contacting Cisco TAC, customers are advised to contact their service providers to confirm the software deployed by the service provider includes the fix that addresses this vulnerability.

    By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
    http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

    Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to consult the Cisco Security Advisories and Responses archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
    http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

    Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Exploitation and Public Announcements

  • The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
Posted by at No comments:
Labels: , , ,

Tuesday, March 8, 2016

DoD Issues Cybersecurity Discipline Guidance

Source: Army Times http://www.armytimes.com/
The Defense Department recently issued a military-wide cybersecurity discipline implementation plan, a document that aims to hold leaders accountable for cybersecurity up and down the chain of command and report progress and setbacks.
The plan was originally issued in October but updated in February and made public on the DoD CIO site in early March. It shares some similarities with the Pentagon’s other large-scale cyber assessment tool, the department’s strategic cybersecurity scorecard that reports service-level compliance directly to the Defense secretary. The difference between the two is that the discipline implementation plan targets tactical-level compliance, and each has different reporting mechanisms – the discipline plan routes users to the Defense Readiness Reporting System to report their status with the requirements.
The new plan centers on four lines of effort, which actually correspond with the cybersecurity scorecard. They include:

  • Strong authentication to degrade the adversaries' ability to maneuver on DoD information networks;
  • Device hardening to reduce internal and external attack vectors into DoD information networks;
  • Reduce attack surface to reduce external attack vectors into DoD information networks; and
  • Alignment to cybersecurity/computer network defense service providers to improve detection of and response to adversary activity
"The requirements within each line of effort represent a prioritization of all existing DoD cybersecurity requirements. Each line of effort focuses on a different aspect of cybersecurity defense-in-depth that is being exploited by our adversaries to gain access to DoD information networks,” the document states. “Securing DoD information networks to provide mission assurance requires leadership at all levels to implement cybersecurity discipline, enforce accountability, and manage the shared risk to all DoD missions … this campaign forces awareness and accountability for these key tasks into the command chains and up to senior leadership, where resourcing decisions can be made to address compliance shortfalls."
Each of the four lines of effort includes a thorough explanation of the goal, followed by multiple tasks and questions designed to assess compliance, vulnerability and progress. An appendix further details prioritizes tasks from the discipline implementation and from previously issued DoD cybersecurity campaign guidance, and weights DoD’s cybersecurity objectives.
"Work on these tasks can proceed in parallel; these lists guide the application of limited resources to the most critical tasks for securing and defending segments of the network across the Department,” the document notes. “Of primary importance is implementing a healthy cybersecurity culture across all ranks, one that ingrains a self-correcting discipline similar to the nuclear enterprise or other critical, highly reliable organizations. If we fail to change the culture, we will fail to secure the enterprise regardless of any defenses installed otherwise."
Despite the use of the term ‘discipline’ in its title though, one thing the new plan seems to lack, at least in the unclassified version: consequences for failing to meet goals or maintain security. It’s not immediately clear what might happen to people who fall short of requirements or fall to cyberattacks.
Posted by at No comments:
Labels: , , , ,

Wednesday, March 2, 2016

IRS and US-CERT Caution Users: Prepare for Heightened Phishing Risk This Tax Season

Overview

Throughout the year, scam artists pose as legitimate entities—such as the Internal Revenue Service (IRS), other government agencies, and financial institutions—in an attempt to defraud taxpayers. They employ sophisticated phishing campaigns to lure users to malicious sites or entice them to activate malware in infected email attachments. To protect sensitive data, credentials, and payment information, US-CERT and the IRS recommend taxpayers prepare for heightened risk this tax season and remain vigilant year-round.

Remain alert

Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. In many successful incidents, recipients are fooled into believing the phishing communication is from someone they trust. An actor may take advantage of knowledge gained from research and earlier attempts to masquerade as a legitimate source, including the look and feel of authentic communications. These targeted messages can trick any user into taking action that may compromise enterprise security.

Spot common elements of the phishing lifecycle

  1. A Lure: enticing email content.
  2. A Hook: an email-based exploit.
    • Email with embedded malicious content that is executed as a side effect of opening the email
    • Email with malicious attachments that are activated as a side effect of opening an attachment
    • Email with “clickable” URLs: the body of the email includes a link, which displays as a recognized, legitimate website, though the actual URL redirects the user to malicious content
  3. A Catch: a transaction conducted by an actor following a successful attempt.
    • Unexplainable charges
    • Unexplainable password changes

Understand how the IRS communicates electronically with taxpayers

  • The IRS does not initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information.
  • This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.
  • The official website of the IRS is www.irs.gov.

Take action to avoid becoming a victim

If you believe you might have revealed sensitive information about your organization or access credentials, report it to the appropriate contacts within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
Watch for any unexplainable charges to your financial accounts. If you believe your accounts may be compromised, contact your financial institution immediately and close those accounts.
If you believe you might have revealed sensitive account information, immediately change the passwords you might have revealed. If you used the same password for multiple accounts, make sure to change the password for each account and do not use that password in the future.

Report suspicious phishing communications

  • Email: If you read an email claiming to be from the IRS, do not reply or click on attachments and/or links. Forward the email as-is to phishing@irs.gov (link sends e-mail), then delete the original email.
  • Website: If you find a website that claims to be the IRS and suspect it is fraudulent, send the URL of the suspicious site to phishing@irs.gov (link sends e-mail) with subject line, “Suspicious website”.
  • Text Message: If you receive a suspicious text message, do not reply or click on attachments and/or links. Forward the text as-is to 202-552-1226 (standard text rates apply), and then delete the original message (if you clicked on links in SMS and entered confidential information, visit the IRS’ identity protection page).
If you are a victim of any of the above scams involving IRS impersonation, please report to phishing@irs.gov (link sends e-mail), file a report with the Treasury Inspector General for Tax Administration (TIGTA), the Federal Trade Commission (FTC), and the police.

Additional Resources

For more information on phishing, other suspicious IRS-related communications including phone or fax scams, or additional guidance released by Treasury/IRS and DHS/US-CERT, visit:
To report a cybersecurity incident, vulnerability, or phishing attempt, visit US-CERT.gov/report.

Author

US-CERT and IRS
Posted by at No comments:
Labels: , , , , , ,

Tuesday, March 1, 2016

OpenSSL Security Advisory

National Cyber Awareness System:
OpenSSL Releases Security Advisory
03/01/2016 11:04 AM EST

Original release date: March 01, 2016
OpenSSL has released updates to address vulnerabilities in prior versions. Exploitation of some of these vulnerabilities may allow a remote attacker to obtain sensitive information. Updates available include:
  • OpenSSL 1.0.2g for 1.0.2 users
  • OpenSSL 1.0.1s for 1.0.1 users
Users and administrators are encouraged to review the OpenSSL Security Advisory and apply the necessary updates.
OpenSSL Security Advisory [1st March 2016]
=========================================

NOTE: With this update, OpenSSL is disabling the SSLv2 protocol by default, as
well as removing SSLv2 EXPORT ciphers.  We strongly advise against the use of
SSLv2 due not only to the issues described below, but to the other known
deficiencies in the protocol as described at
https://tools.ietf.org/html/rfc6176


Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
================================================================

Severity: High

A cross-protocol attack was discovered that could lead to decryption of TLS
sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
Bleichenbacher RSA padding oracle.  Note that traffic between clients and
non-vulnerable servers can be decrypted provided another server supporting
SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or
POP) shares the RSA keys of the non-vulnerable server. This vulnerability is
known as DROWN (CVE-2016-0800).

Recovering one session key requires the attacker to perform approximately 2^50
computation, as well as thousands of connections to the affected server. A more
efficient variant of the DROWN attack exists against unpatched OpenSSL servers
using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on
19/Mar/2015 (see CVE-2016-0703 below).

Users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS
servers, if they've not done so already. Disabling all SSLv2 ciphers is also
sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and
1.0.2f) have been deployed.  Servers that have not disabled the SSLv2 protocol,
and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2
ciphers are nominally disabled, because malicious clients can force the use of
SSLv2 with EXPORT ciphers.

OpenSSL 1.0.2g and 1.0.1s deploy the following mitigation against DROWN:

SSLv2 is now by default disabled at build-time.  Builds that are not configured
with "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will
need to explicitly call either of:

   SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
   or
   SSL_clear_options(ssl, SSL_OP_NO_SSLv2);

as appropriate.  Even if either of those is used, or the application explicitly
uses the version-specific SSLv2_method() or its client or server variants,
SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed.
Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no
longer available.

In addition, weak ciphers in SSLv3 and up are now disabled in default builds of
OpenSSL.  Builds that are not configured with "enable-weak-ssl-ciphers" will
not provide any "EXPORT" or "LOW" strength ciphers.

OpenSSL 1.0.2 users should upgrade to 1.0.2g
OpenSSL 1.0.1 users should upgrade to 1.0.1s


More At: https://www.openssl.org/news/secadv/20160301.txt
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)