A sale, right before Christmas? What an extraordinary step for a retailer to take! And that hefty 10% off is available to everyone. Target's millions of breach victims must be feeling very special.

Friday's report that RSA received $10 million to make an NSA-favored random number generator the default setting in its BSAFE crypto tool aren't yet creating any problems on Wall Street, with stock for parent company EMC rising 2 percent on Monday. That doesn't mean the revelations don't have important public relations fallout for the encryption software maker.

On Monday, Mikko Hypponen, chief research officer of Finland-based antivirus provider F-Secure, publicly canceled the talk he was scheduled to deliver at the RSA Conference USA 2014, which is slated for February. A highly sought-after security researcher who regularly speaks at Black Hat, Defcon, Hack in the Box, in addition to the more mainstream Ted and South by Southwest conferences, Hypponen said his cancellation was in protest of the recently revealed $10 million contract to make the NSA-influenced Dual EC_DRBG BSAFE's default pseudo random number generator (PRNG). Hypponen also cited RSA's decision to keep Dual EC_DRBG the default PRNG for more than five years after serious vulnerabilities were uncovered in it and Monday's non-denying denial from RSA in response to Friday's report from the Reuters news agency.

"I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA," Hypponen wrote in an open letter to Joseph M. Tucci and Art Coviello, the CEO of EMC and the executive chairman of RSA respectively. "In fact, I'm not expecting other conference speakers to cancel. Most of your speakers are American anyway–why would they care about surveillance that's not targeted at them but at non-Americans. Surveillance operations from the US intelligence agencies are targeted at foreigners. However I'm a foreigner. And I'm withdrawing my support from your event."

Read 3 remaining paragraphs | Comments


Wondering what the Costco / Walmart malware (yesterday's diary) was up to, we ran it in a lab environment. It happily connected to its Command&Control (C&C), and soon after started spamming the next round of bait. The upcoming scam email apparently looks like this:

and it comes complete with an EXE, named something like "Court_Notice_Jones_Day_Washington.exe", current MD5 84fae8803a2fcba2d5f868644cb55dd6 (Virustotal)

The C&C of the original Costco sample was at and A supplemental binary was pulled from If you have additional information on this scam or yesterday's Costco/Walmart version, please share in the comments below. Thanks to Francis Trudeau of Emerging Threats for help with the analysis and gathering the C&C traffic.


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Dataguise Positioned in "Visionaries" Quadrant of the Gartner Magic Quadrant ...
4-traders (press release)
@Gartner_Inc calls @Dataguise #Visionary in 2013 Data Masking #MQ (LINK) #infosec #datasecurity. Gartner analysts Joseph Feiman and Brian Lowans wrote in the Data Masking Technology report that, "Data masking has emerged to address relational ...

and more »
Like a juggler walking away with dozens of objects suspended in the air, Steve Ballmer is leaving his successor at Microsoft not only a tough act to follow but an even tougher act to continue.
Taiwanese computer maker Acer has named Jason Chen, vice president of worldwide sales and marketing at Taiwan Semiconductor Manufacturing, as its new president and CEO, effective Jan. 1.
Sony Corp. of America has agreed to sell its Gracenote music metadata business to the Tribune media conglomerate for $170 million.
While the bulk of enterprise software is still deployed on-premises, SaaS continues to undergo rapid growth. Gartner has said the total market will top $22 billion through 2015, up from more than $14 billion in 2012.
From the NSA surveillance revelations to the troubled government healthcare website to a variety of issues that didn't make the mainstream news, here are the top tech policy stories that played out in 2013.

Yes, it's this time of the year again. There's a new wave of email making the rounds, with a message that looks as follows

The URLs look like this

The subject seems to be one of "Delivery Canceling", "Express Delivery Failure" or "Standard Delivery Failure". Next to Costco, the same scam is currently ongoing for BestBuy and Walmart, maybe others. The links are (appear to be) random or encoded, there is no repeat occurrence of the URL and "package number" for the entire sample set that we have. It could well be that the BASE64 portion of the URL contains an encoded hash of the email address to which the phish was sent, so when you play with one of the samples, be mindful that you could be confirming the email address back to the bad guys  [for that reason, the two URLs above are facsimile only, and not the real thing]

For a change, clicking on the link doesn't bring up a web form asking for your credit card number. Instead, it quite bluntly downloads a ZIP which contains an EXE. What makes this particular version more cute than others is that the EXE inside the ZIP is re-named on the fly, based on the geolocation of your download request.  In my case, this spoiled the fun some, because "CostcoForm_Zürich.exe" and "CostcoForm_Hamburg.exe" didn't look all that credible: There are no Costcos in Switzerland or Germany :). 

We have seen this "geolocation" approach at malware delivery used more frequently in the past weeks, for example also in a WhatsApp spam spree ten days ago. I assume someone who would click on "CostcoForm.exe" might be even more inclined to do so if the file is called "CostcoForm_DesMoines.exe" or the like, and the user is in fact residing in that same town.

As for the malware:  Lowish detection as usual, Virustotal 12/44 . Malwr/Cuckoo analysis.  The malware family so far seems to have a MUTEX of "CiD0oc5m" in common, and when run, it displays a Notepad that asks the user to try again later (while the EXE installs itself in the background).  Further analysis is still ongoing.

Hosts currently seen pushing the malware include

bmaschool.net Address:
bright-color.de Address:
am-software.net Address:
artes-bonae.de Address:
automartin.com Address:
almexterminatinginc.com Address:
brandschutz-poenitz.de Address:

All these sites have been on the corresponding IP addresses since years, which suggests that these are legitimate web sites that have been compromised/hacked, and are now being abused to push malware.

If you have additional info on this scam, especially if you have seen the same scam for companies besides Costco, Walmart and Bestbuy, please let us know in the comments below, or share a sample via our contact form.


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The techniques used by hackers to access credit and debit card data from Target shoppers suggests that the cyber crooks have found a troubling new way to stay ahead of the latest fraud detection processes.
U.S. Sen. Richard Blumenthal has called on the Federal Trade Commission to investigate Target's security practices after the large retailer reported a data breach affecting 40 million customer credit and debit cards.

SANS Announces the Winner of its Second Annual NetWars Tournament of ...
SYS-CON Media (press release)
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system—the Internet Storm Center. At the heart of SANS are the many security ...

and more »
CEOs stepping down, social media IPOs and phablets were just a few stories made news this year. What was the biggest tech story of 2013?
The evad3rs hacking team has released a long-awaited jailbreak for Apple devices running iOS 7, but the release generated a backlash over its bundling of a Chinese app store instead of the more popular Cydia app directory.
LinuxSecurity.com: A vulnerability has been discovered and corrected in asterisk: Buffer overflow in the unpacksms16 function in apps/app_sms.c in Asterisk Open Source 1.8.x before, 10.x before 10.12.4, and 11.x before 11.6.1; Asterisk with Digiumphones 10.x-digiumphones before [More...]
LinuxSecurity.com: Helmut Grohne discovered that denyhosts, a tool preventing SSH brute-force attacks, could be used to perform remote denial of service against the SSH daemon. Incorrectly specified regular expressions used to detect brute force attacks in authentication logs could be exploited [More...]
LinuxSecurity.com: Multiple vulnerabilities has been discovered and corrected in samba: The winbind_name_list_to_sid_string_list function in nsswitch/pam_winbind.c in Samba through 4.1.2 handles invalid require_membership_of group names by accepting authentication by [More...]
LinuxSecurity.com: New gnupg packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. [More Info...]
LinuxSecurity.com: Fraudulent security certificates could allow sensitive information tobe exposed when accessing the Internet.
LinuxSecurity.com: A vulnerability has been discovered and corrected in mozilla NSS: Google notified Mozilla that an intermediate certificate, which chains up to a root included in Mozillas root store, was loaded into a man-in-the-middle (MITM) traffic management device. This certificate [More...]

RSA has issued a statement denying allegations stemming from Friday's bombshell report that the encryption software provider received $10 million from the National Security Agency (NSA) in exchange for making a weak algorithm the preferred one in its BSAFE toolkit.

The press release went live on Sunday, two days after Reuters said the secret contract was part of an NSA campaign to embed encryption software that the agency could break into widely used computer products. RSA's statement was worded in a way that didn't clearly contradict any of the article's most damaging accusations. For instance:

Recent press coverage has asserted that RSA entered into a "secret contract" with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.

We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.

Later in the release, RSA officials wrote: "RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."

Read 6 remaining paragraphs | Comments

Song Exporter v2.1.1 RS iOS - File Include Vulnerabilities
[ MDVSA-2013:300 ] asterisk
[ MDVSA-2013:301 ] nss
ack Multiple Remote Code Execution Vulnerabilities

How to steer clear of trouble when building mHealth apps
Government Health IT
There are a number of tools within the infosec community that can be openly leveraged to help mitigate risks. Despite being relatively new, the iMAS library provides iOS developers with a set of easy-to-use tools to accomplish various security tasks in ...

and more »
JBoss Enterprise Application Platform CVE-2012-0874 Multiple Security Bypass Vulnerabilities
Multiple Asterisk Products 'unpacksms16()' Function Buffer Overflow Denial of Service Vulnerability
Cisco EPC3925 Router 'Quick_setup' Cross Site Request Forgery Vulnerability
WebKit CVE-2013-5228 Use After Free Memory Corruption Vulnerability
IBM Rational Focal Point Webservice Axis Gateway CVE-2013-5398 Information Disclosure Vulnerability
IBM Rational Focal Point Webservice Axis Gateway CVE-2013-5397 Information Disclosure Vulnerability
Microsoft will face a rebellion of long-time partners at next month's CES when OEMs introduce Windows PCs that can also run Android mobile apps.
The tech industry is seeing a shift toward a more independent IT workforce. And while that might not be bad for retiring baby boomers, it could mean younger and mid-career IT workers need to prepare to make a living solo.
Apple plans to offer the iPhone to more than 760 million China Mobile customers from January, which could help it increase its share from the fifth position in this growing market.
The U.S. government again claimed state-secrets privileges in a move to block two lawsuits challenging the constitutionality of the National Security Agency's monitoring of Americans' phone communications and email, according to court filings late Friday.
Linux Kernel 'kvm_vm_ioctl_create_vcpu()' Function Local Privilege Escalation Vulnerability
Linux Kernel KVM 'apic_get_tmcct()' Function Denial of Service Vulnerability
Linux Kernel KVM 'recalculate_apic_map()' Function Denial of Service Vulnerability
The U.S. National Security Agency (NSA) paid US$10 million to vendor RSA in a "secret" deal to incorporate a deliberately flawed encryption algorithm into widely used security software, according to a Reuters report that is reigniting controversy about the government's involvement in setting security standards.
NEW VMSA-2013-0016 VMware ESXi and ESX unauthorized file access through vCenter Server and ESX
[SECURITY] [DSA 2826-1] denyhosts security update
[ MDVSA-2013:299 ] samba
[slackware-security] gnupg (SSA:2013-354-01)
[ MDVSA-2013:298 ] php
[SECURITY] [DSA 2825-1] wireshark security update
[ MDVSA-2013:297 ] munin
[ MDVSA-2013:296 ] wireshark
Internet Storm Center Infocon Status