MITRE has been running the CVE vulnerability identification and logging system for what seems like forever. Mostly this has worked well but recently it seems that applications to MITRE for CVE no’s have been taking longer than expected. In fact, the issue appears to be so bad that Kurt Seifried from Red Hat has decided to create a complimentary system to CVE for assigning vulnerability identifiers, calling it DWF – Distributed Weakness Filing system. DWF uses the same format as CVE and if you have a CVE no. already, this will be mapped directly to DWF. It seems that this action has woken MITRE up and they have started engaging with stakeholders to improve things. Identifiers are very important because they allow everyone to see if a vuln has been logged by someone else, it keeps a common identifier that all can work with and it lends a sense of legitimacy to vuln logging. Let’s hope the 2 groups can reach common ground.
Locky is a new strain of ransom-ware that is starting to make waves; or encrypted files as it were. Locky is unique in that it uses Javascript attachments to spread its wares. Locky is being distributed by the same botnet responsible for the Dridex trojan – they’ve simply changed the delivery mechanism ( js ) and the payload ( ransomware ). Apparently, this has been enough to fool some AV programs. Locky will go after any accessible files including those on network shares. In addition, it will delete VSS shadow copies so making sure you have alternate backups is critical. Time to block .js files at the border of your networks.
The first Mac OS X ransom-ware recently came to light – dubbed KeRanger. This r-w is in fact just a copy of Linux Encoder which arrived in November 2015. KeRanger is basically a rewrite of v4 of Linux Encoder and while previous releases had a decryption tool available ( from BitDefender ), this release does not. KeRanger was originally distributed with the Transmission BitTorrent client, the result of the Transmission site being compromised. Linux Encoder is also not an original piece of software and comes as a result of Hidden Tear which is PoS ransom-ware …
Stagefright was an interesting Android exploit from last year that was mostly mitigated by the ASLR memory feature in Android. But a new variation on Stagefright, called Metaphor, has been released that apparently bypasses the ASLR protections. Let’s see what Google has to say about this over the next few days.
The UK’s telecoms regulator, Ofcom, was recently the subject of an insider data leak, with a former employee offering swathes of Ofcom data to their new employer. Kind of a silly thing to do because the new employer promptly alerted Ofcom. This incident goes to show that internal threats remain a serious barrier to maintaining network security. With more than 1/3 of data breaches resulting from employee actions, this is an area of security that’s becoming increasingly difficult to manage and balance against employee rights.
One of the biggest attacks of last week comes through advertising – or malvertising as it’s commonly called. A number of high profile sites including BBC, MSN and Newsweek ended up hosting ads that were redirecting visitors to sites serving malware and ransom-ware. The internet advertising community has already been under siege the last few years due to their high-handed tactics and invasive techniques – this latest attack is unlikely to help their cause. If this news gets out more, people would start to view ad-blockers as another layer of security. Goodbye ads, most of them anyway. Google had better make a convincing statement soon, or the ads industry for the web faces a recession.
For my own security, I’ve been using Privacy Badger for a number of years now; this stops the automated execution of scripts in ads that might otherwise do damage. Am I aiding in the death of the ads industry? I’m not sure of that but I’d choose my security over the ad industry’s protection any day. Especially since the ads industry has not cleaned house. Maybe this latest attack will give them a wake-up call.