Information Security News
Friday's report that RSA received $10 million to make an NSA-favored random number generator the default setting in its BSAFE crypto tool aren't yet creating any problems on Wall Street, with stock for parent company EMC rising 2 percent on Monday. That doesn't mean the revelations don't have important public relations fallout for the encryption software maker.
On Monday, Mikko Hypponen, chief research officer of Finland-based antivirus provider F-Secure, publicly canceled the talk he was scheduled to deliver at the RSA Conference USA 2014, which is slated for February. A highly sought-after security researcher who regularly speaks at Black Hat, Defcon, Hack in the Box, in addition to the more mainstream Ted and South by Southwest conferences, Hypponen said his cancellation was in protest of the recently revealed $10 million contract to make the NSA-influenced Dual EC_DRBG BSAFE's default pseudo random number generator (PRNG). Hypponen also cited RSA's decision to keep Dual EC_DRBG the default PRNG for more than five years after serious vulnerabilities were uncovered in it and Monday's non-denying denial from RSA in response to Friday's report from the Reuters news agency.
"I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA," Hypponen wrote in an open letter to Joseph M. Tucci and Art Coviello, the CEO of EMC and the executive chairman of RSA respectively. "In fact, I'm not expecting other conference speakers to cancel. Most of your speakers are American anyway–why would they care about surveillance that's not targeted at them but at non-Americans. Surveillance operations from the US intelligence agencies are targeted at foreigners. However I'm a foreigner. And I'm withdrawing my support from your event."
Wondering what the Costco / Walmart malware (yesterday's diary) was up to, we ran it in a lab environment. It happily connected to its Command&Control (C&C), and soon after started spamming the next round of bait. The upcoming scam email apparently looks like this:
and it comes complete with an EXE, named something like "Court_Notice_Jones_Day_Washington.exe", current MD5 84fae8803a2fcba2d5f868644cb55dd6 (Virustotal)
The C&C of the original Costco sample was at 188.8.131.52:443 and 184.108.40.206:8080. A supplemental binary was pulled from 220.127.116.11:8080. If you have additional information on this scam or yesterday's Costco/Walmart version, please share in the comments below. Thanks to Francis Trudeau of Emerging Threats for help with the analysis and gathering the C&C traffic.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Dataguise Positioned in "Visionaries" Quadrant of the Gartner Magic Quadrant ...
4-traders (press release)
@Gartner_Inc calls @Dataguise #Visionary in 2013 Data Masking #MQ (LINK) #infosec #datasecurity. Gartner analysts Joseph Feiman and Brian Lowans wrote in the Data Masking Technology report that, "Data masking has emerged to address relational ...
Yes, it's this time of the year again. There's a new wave of email making the rounds, with a message that looks as follows
The URLs look like this
The subject seems to be one of "Delivery Canceling", "Express Delivery Failure" or "Standard Delivery Failure". Next to Costco, the same scam is currently ongoing for BestBuy and Walmart, maybe others. The links are (appear to be) random or encoded, there is no repeat occurrence of the URL and "package number" for the entire sample set that we have. It could well be that the BASE64 portion of the URL contains an encoded hash of the email address to which the phish was sent, so when you play with one of the samples, be mindful that you could be confirming the email address back to the bad guys [for that reason, the two URLs above are facsimile only, and not the real thing]
For a change, clicking on the link doesn't bring up a web form asking for your credit card number. Instead, it quite bluntly downloads a ZIP which contains an EXE. What makes this particular version more cute than others is that the EXE inside the ZIP is re-named on the fly, based on the geolocation of your download request. In my case, this spoiled the fun some, because "CostcoForm_Zürich.exe" and "CostcoForm_Hamburg.exe" didn't look all that credible: There are no Costcos in Switzerland or Germany :).
We have seen this "geolocation" approach at malware delivery used more frequently in the past weeks, for example also in a WhatsApp spam spree ten days ago. I assume someone who would click on "CostcoForm.exe" might be even more inclined to do so if the file is called "CostcoForm_DesMoines.exe" or the like, and the user is in fact residing in that same town.
As for the malware: Lowish detection as usual, Virustotal 12/44 . Malwr/Cuckoo analysis. The malware family so far seems to have a MUTEX of "CiD0oc5m" in common, and when run, it displays a Notepad that asks the user to try again later (while the EXE installs itself in the background). Further analysis is still ongoing.
Hosts currently seen pushing the malware include
bmaschool.net Address: 18.104.22.168
bright-color.de Address: 22.214.171.124
am-software.net Address: 126.96.36.199
artes-bonae.de Address: 188.8.131.52
automartin.com Address: 184.108.40.206
almexterminatinginc.com Address: 220.127.116.11
brandschutz-poenitz.de Address: 18.104.22.168
All these sites have been on the corresponding IP addresses since years, which suggests that these are legitimate web sites that have been compromised/hacked, and are now being abused to push malware.
If you have additional info on this scam, especially if you have seen the same scam for companies besides Costco, Walmart and Bestbuy, please let us know in the comments below, or share a sample via our contact form.
SANS Announces the Winner of its Second Annual NetWars Tournament of ...
SYS-CON Media (press release)
SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system—the Internet Storm Center. At the heart of SANS are the many security ...
RSA has issued a statement denying allegations stemming from Friday's bombshell report that the encryption software provider received $10 million from the National Security Agency (NSA) in exchange for making a weak algorithm the preferred one in its BSAFE toolkit.
The press release went live on Sunday, two days after Reuters said the secret contract was part of an NSA campaign to embed encryption software that the agency could break into widely used computer products. RSA's statement was worded in a way that didn't clearly contradict any of the article's most damaging accusations. For instance:
Recent press coverage has asserted that RSA entered into a "secret contract" with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.
We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.
Later in the release, RSA officials wrote: "RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."
How to steer clear of trouble when building mHealth apps
Government Health IT
There are a number of tools within the infosec community that can be openly leveraged to help mitigate risks. Despite being relatively new, the iMAS library provides iOS developers with a set of easy-to-use tools to accomplish various security tasks in ...