Information Security News
=============== Rob VandenBrink Metafore(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Microsoft has released a number of security advisories and updates to advisories, hopefully they'll all have matching updates next Patch Tuesday
Microsoft Security Advisory 2974294 (just posted today)
Vulnerability in Microsoft Malware Protection Engine Could Allow Denial of Service
MS14-036 Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487) (June 10 advsiory, updated today)
MS14-035 Cumulative Security Update for Internet Explorer (2969262) (June 10 advsiory, updated today)
You can track June's list as it is built here:
by Sean Gallagher
Early in June, Ars reported the discovery of Android/Simplocker, which appeared to be the first cryptographic ransomware Trojan targeted at Android devices. Simplocker encrypts photos, documents, and videos in devices’ local storage and then instructs the device owner to send money if they ever want to see that content again.
One researcher—Simon Bell, an undergraduate student at the University of Sussex—managed to dissect the code for Simplocker. He found that while the code actually called back to a command and control server over the Tor anonymizing network to pass information about the infected device, all of the encryption work was done by the malware itself.
Today, Bell released an antidote to Simplocker—a Java program that can decrypt the files attacked by the malware. “The antidote was incredibly easy to create because the ransomware came with both the decryption method and the decryption password,” Bell wrote. “Therefore producing an antidote was more of a copy-and-paste job than anything.”
A Brooklyn-based designer has created a 3D-printed sculptural boob tube to spark social commentary on the state of privacy in a data-driven world—by making the top gradually more sheer.
X.pose's striking black webbed rubber structure was engineered using a Stratasys printer, molded to the body to ensure comfort and very much inspired by creator Xuedi Chen's previous work, Invasive Growth (moss-grown jewelry based on the parasitic cordyceps fungus). But underneath, its layers tell another story about our lack of control and veritable vulnerability when it comes to who uses our data, what for, and how much they take.
"By participating in this hyper-connected society while having little to no control of my digital data production, how much of myself do I unknowingly reveal?" asks Chen, who created X.pose in around three weeks with fellow artist Pedro Oliveira. "To what degree does the aggregated metadata collected from me paint an accurate portrait of who I am as a person? What aspects of my individuality are reflected in this portrait?"
Canada recently passed anti-spam legislation. Starting July 1 2014, organizations now need consent to send unsolicited emails or other electronic communications, which includes text messages, faxes and anything else you might think of. This doesn't cover just mass marketing, a single email to a single person is covered in this new legislation.
Starting Jan 15,2015, the installation of apps, plug-ins and other programs need similar consent.
With fines up to $1 million for individuals and $10 million for organizations, there's a bit of a scramble to get consent from us Canadians . Everyone from car companies wanting to send service bulletins to insurance companies who this this applies to emails on our insurance claims are sending "click here to consent" emails. And of course, a similar scramble for folks that we've bought something from once, who want to send us sales flyers forever.
See the problem yet? There was a clue in the note above
In this onslaught of "Click here" notes, it's oh-so-easy to slip in a few malicious emails, and of course if you do click in those notes, there's some special malware just for you!
To make things more interesting, many of the legit emails of this type are loaded with graphics with the links point to third party sites, so they also look like malicious content all on their own.
So in an effort to protect us Canadians from our collective compulsion to open every email and click every link (this isn't confined to just Canadians mind you), this legislation is actually resulting in a new "easy button" attack vector, so we have a spike of the very activity this is trying to prevent!
I wonder if the folks in Ottawa who wrote this legislation realize that this also applies to their campaign material at election time? Or if they understand that a telephone call is also "electronic communication"? <Just the first two gotcha's that came to mind>
If you've seen malware in email of this type, or if you have a slow day and want to read the legislation and look for similar "oops" situations, please share using our comment form !
Posted by InfoSec News on Jun 17http://www.informationweek.com/government/cybersecurity/nist-security-guidance-revision-prepare-now/a/d-id/1269663
Posted by InfoSec News on Jun 17http://online.wsj.com/articles/u-s-charges-suspected-activist-hacker-1402950397
Posted by InfoSec News on Jun 17http://www.computerweekly.com/news/2240222633/Cyber-security-an-economic-opportunity-says-UK-government
Posted by InfoSec News on Jun 17Forwarded from: security curmudgeon <jericho (at) attrition.org>
Posted by InfoSec News on Jun 17http://www.theregister.co.uk/2014/06/14/att_twas_conniving_contractors_that_nicked_your_info/
Posted by InfoSec News on Jun 17http://www.zdnet.com/world-cup-2014-experts-warn-of-security-threats-7000030594/