Information Security News
We havent really mentioned the ongoing SONY compromise here. In part, because there is very little solid information public (and we dont want to just speculate), and also, without a good idea about what happened, it is difficult to talk about lessons learned.
However, one facetof he attack may have wider implications. Securelist is reporting that they spotted malware that is signed with a valid SONY certificate. It is very likely that the secret key used to create the signature was part of the loot from the recent compromise. Having malware that is signed by a major corporation will make it much more likely for users to install the malware. It also emphasizes againthe depth at which SONY was (or is)compromised.
An effort is underway to revoke the certificate. But certificate revocation lists are notoriously unreliable and slow to update so it may take a while for the revocation to propagate.
Stolen certificate serial number:01 e2 b4 f7 59 81 1c 64 37 9f ca 0b e7 6d 2d ce
Thumbprint:8d f4 6b 5f da c2 eb 3b 47 57 f9 98 66 c1 99 ff 2b 13 42 7a
Adobe today released two new bulletins, and updaed the Reader/Acrobat bulletin that was published a week ago.
">This update fixes 6 vulnerabilities, some of which can lead to remote code execution. Adobe rates this patch with a priority of 1">This updates fixes 20 different vulnerabilities. The bulletin has a rating of 1.">This bulletin applies to ColdFusion 10 and 11 and fixes a denial of service vulnerability (CVE-2014-9166). The vulnerability has not been used in any exploits so far.
Charge Anywhere, a company that routes payment transactions between merchants and payment card processors, said that malicious software planted on its network may have accessed unencrypted sensitive cardholder data for almost five years.
In a statement, the company warned that some of the card data it sends or receives appears in plaintext, allowing attackers to copy it and use it in fraudulent transactions. Details including names, account numbers, expiration dates, and verification codes are known to be exposed for transactions that occurred this year from August 17 through September 24, although it's possible transactions dating back to November 5, 2009 may also have been accessed, the statement said. The disclosure came after company officials hired an unidentified security firm to investigate the breach.
"The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic," the release stated. "Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests."
by Robert Lemos
The security company investigating the attack against Sony Pictures Entertainment has reportedly penned a letter that seemingly holds the entertainment firm blameless for the breach of its systems—a move that has opened up the investigating firm to criticism by security professionals.
The letter—to SPE’s CEO Michael Lynton from Kevin Mandia, the head of FireEye’s Mandiant, the incident response service the company hired to investigate the attack and restore its network—calls the attack “unprecedented in nature.” Mandia states that the attack would not have been detected by antivirus programs, and the attackers used non-standard strategies to cause damage to the company.
“In fact, the scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public,” Mandia states in the letter, which was leaked to media outlets. “The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”
by Sean Gallagher
Security firm Kaspersky Labs reports that a new sample of the Destover malware—the malware family used in the recent attack on the networks of Sony Pictures—has been found bearing a valid digital signature that could help it sneak past security screening on some Windows systems. And that digital signature is courtesy of a certificate stolen from Sony Pictures.
The newly discovered variant of the malware was signed on December 5 and is otherwise identical to a version compiled in July. It attempts to connect to two different command and control servers, both previously associated with the malware that took down Sony Pictures—one at a university in Thailand, and another associated with a business customer of Time Warner Cable in Champlain, New York. According to a post by Kaspersky Lab’s Global Research and Analysis Team, the malware alternates attempts at connections between the two IP addresses, pausing between attempts.
The version that was used to spread the “wiper” malware that took down Sony Pictures was compiled just days before that attack and included hard-coded instructions for attacking infrastructure within Sony’s network. The new signed version appears to be a more general-purpose version of the backdoor and could conceivably be part of a botnet toolkit used to deliver other malware. The signature could allow the malware to be installed without being stopped by corporate system management measures such as application whitelisting—especially if it was intended to re-target Sony Pictures’ network for another attack.
Overview of the December 2014 Microsoft patches and their status.
|#||Affected||Contra Indications - KB||Known Exploits||Microsoft rating(**)||ISC rating(*)|
|MS14-075||Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege
|MS14-080||Cumulative Security Update for Internet Explorer
|Microsoft Windows, Internet Explorer
CVE-2014-6327, CVE-2014-6328, CVE-2014-6329, CVE-2014-6330, CVE-2014-6363, CVE-2014-6365, CVE-2014-6366, CVE-2014-6368, CVE-2014-6369, CVE-2014-6373, CVE-2014-6374, CVE-2014-6375, CVE-2014-6376, CVE-2014-8966
|MS14-081||Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution
(Replaces MS14-017 MS14-061 MS14-069)
|MS14-082||Vulnerability in Microsoft Office Could Allow Remote Code Execution
|MS14-083||Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
|MS14-084||Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution
|MS14-085||Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure|
|KB 3013126||vuln. public.||Severity:Important
Alex Stanford - GIAC GWEB GSEC
Research Operations Manager,
SANS Internet Storm Center
Cybersecurity Skills Shortage Panic in 2015?
When it comes to cybersecurity, it's sexy to talk about sophisticated adversaries, innovation and VC-backed startups – intrigue, money and technology drive the infosec market. I get this but we still need people in place who know what they are doing ...
Posted by InfoSec News on Dec 09http://www.buzzfeed.com/peterlauria/sony-pictures-business-secrets-revealed-in-hack-yep-seinfeld
Posted by InfoSec News on Dec 09http://www.darkreading.com/how-to-become-a-ciso-top-tips/d/d-id/1317945
Posted by InfoSec News on Dec 09http://healthitsecurity.com/2014/12/08/healthcare-security-will-benefit-collaboration/
Posted by InfoSec News on Dec 09http://www.slate.com/articles/technology/future_tense/2014/12/anonymous_vs_lulzsec_the_technology_snob_s_favorite_hacker_group.html
Posted by InfoSec News on Dec 09http://arstechnica.com/security/2014/12/meaner-poodle-bug-that-bypasses-tls-crypto-bites-10-percent-of-websites/