Now Everyone Wants to Sell You a Magical Anonymity Router. Choose Wisely - Fri, 2014-10-24 04:07 Maintaining your privacy online, like investing in stocks or looking good naked, has become one of those nagging desires that leaves Americans with a surplus of stress and a deficit of facts. So it's no surprise that a cottage industry of privacy marketers now wants to sell them the solution in a $50 piece of hardware promising internet "anonymity" or "invisibility."
Categories: linux, news, security

Disaster as CryptoWall encrypts US firm's entire server installation - Fri, 2014-10-24 04:04 "Here is a tale of ransomware that will make your blood run cold," announced Stu Sjouwerman of security training firm KnowBe4 in a company newsletter this week and he wasn't exaggerating.
Categories: linux, news, security

Quick PHP patch beats slow research reveal - Thu, 2014-10-23 04:27 Patches have been flung out to cover vulnerabilities in PHP that led to remote code execution and buffer overflows.
Categories: linux, news, security

NIST to hypervisor admins: secure your systems - Thu, 2014-10-23 04:27 US standards body the National Institute of Standards and Technology (NIST) has laid out the basics of hypervisor security in a draft publication released for comment on 20 October.
Categories: linux, news, security

Pro-Privacy Senator Wyden on Fighting the NSA From Inside the System - Thu, 2014-10-23 04:22 Senator Ron Wyden thought he knew what was going on. The Democrat from Oregon, who has served on the Senate Select Committee on Intelligence since 2001, thought he knew the nature of the National Security Agency's surveillance activities.
Categories: linux, news, security

Mandriva: 2014:202: php - Thu, 2014-10-23 01:33 A vulnerability has been discovered and corrected in php: A heap corruption issue was reported in PHP's exif_thumbnail() function. A specially-crafted JPEG image could cause the PHP interpreter to crash or, potentially, execute arbitrary code [More...]
Categories: linux, news, security

Ubuntu: 2388-1: OpenJDK 7 vulnerabilities - Wed, 2014-10-22 18:02 Several security issues were fixed in OpenJDK 7.
Categories: linux, news, security

No Repercussions for Failing to Comply with FedRAMP Standards? (October 15, 2014)

SANS NewsBites - Wed, 2014-10-22 17:00

US government agencies that missed a June 5, 2014 deadline for ensuring that their cloud computing systems met a set of baseline security standards appear unlikely to face repercussions.......

Categories: security

Staples Breach (October 20, 2014)

SANS NewsBites - Wed, 2014-10-22 17:00

Staples is the latest retailer to have been identified as having likely experienced a data security breach.......

Categories: security

Eight Industries Now Receiving Classified Cyber Threat Information (October 20, 2014)

SANS NewsBites - Wed, 2014-10-22 17:00

The number of industries participating in the US Department of Homeland Security's Enhanced Cybersecurity Services Initiative has more than doubled since July 2014.......

Categories: security

China Using Phony Apple Certificate to Snoop on iCloud (October 20, 2014)

SANS NewsBites - Wed, 2014-10-22 17:00

A group that monitors Chinese government censorship, GreatFire.......

Categories: security

Apple's New OS X Yosemite Sends Search Data and Location back to Company Servers (October 20, 2014)

SANS NewsBites - Wed, 2014-10-22 17:00

While Apple has made headlines recently for its enhanced encryption in iOS 8, the company's newest Mac operating system, OS X Yosemite, reportedly leaks user information by sending location and search data when users query Spotlight, the operating system's search feature.......

Categories: security

Login Page for Dropbox Phishing Scheme Hosted on Dropbox (October 19 & 20, 2014)

SANS NewsBites - Wed, 2014-10-22 17:00

A phishing scheme tries to get Dropbox users to disclose their account access credentials by sending a message telling recipients that someone has sent them a file that is too large to be sent through regular email so they must sign in to Dropbox to view it.......

Categories: security

Microsoft Pulls a Patch After Reports of "Unexpected Behavior" (October 18 & 20, 2014)

SANS NewsBites - Wed, 2014-10-22 17:00

Microsoft has pulled a recently released fix that is reportedly causing "unexpected behavior.......

Categories: security

Florida Supreme Court Says Warrant Required for Cell Phone Tracking (October 17 & 20, 2014)

SANS NewsBites - Wed, 2014-10-22 17:00

Florida's Supreme Court has ruled that law enforcement must obtain a warrant before collecting cell phone location data.......

Categories: security

Washington, DC Police and Stingray (October 20, 2014)

SANS NewsBites - Wed, 2014-10-22 17:00

Documents obtained through a Freedom of Information Act (FOIA) request show that police in Washington, DC have had a StingRay cellular surveillance device since 2003, but it remained unused until 2009, when officers were trained in its use.......

Categories: security

Sandworm Targets SCADA Systems (October 17, 2014)

SANS NewsBites - Wed, 2014-10-22 17:00

The Sandworm attack campaign has been found to be targeting Supervisory Control and Data Acquisition (SCADA) systems.......

Categories: security

TA14-295A: Crypto Ransomware

US-CERT - Wed, 2014-10-22 16:28
Original release date: October 22, 2014 | Last revised: October 24, 2014
Systems Affected

Microsoft Windows


Ransomware is a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it. This Alert is the result of Canadian Cyber Incident Response Centre (CCIRC) analysis in coordination with the United States Department of Homeland Security (DHS) to provide further information about crypto ransomware, specifically to:

  • Present its main characteristics, explain the prevalence of ransomware, and the proliferation of crypto ransomware variants; and
  • Provide prevention and mitigation information.

Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of $100–$300 dollars, and is sometimes demanded in virtual currency, such as Bitcoin.

Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications.


The authors of ransomware instill fear and panic into their victims, causing them to click on a link or pay a ransom, and inevitably become infected with additional malware, including messages similar to those below:

  • “Your computer has been infected with a virus. Click here to resolve the issue.”
  • “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”
  • “All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data.”

In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,400 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.

This financial success has likely led to a proliferation of ransomware variants. In 2013, more destructive and lucrative ransomware variants were introduced including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device but also the contents of shared or networked drives. These variants are considered destructive because they encrypt user’s and organization’s files, and render them useless until criminals receive a ransom.

Additional variants observed in 2014 included CryptoDefense and Cryptowall, which are also considered destructive. Reports indicate that CryptoDefense and Cryptowall share the same code, and that only the name of malware itself is different. Similar to CryptoLocker, these variants also encrypt files on the local computer, shared network files, and removable media.


Systems infected with ransomware are also often infected with other malware. In the case of CryptoLocker, a user typically becomes infected by opening a malicious attachment from an email. This malicious attachment contains Upatre, a downloader, which infects the user with GameOver Zeus. GameOver Zeus is a variant of the Zeus Trojan that steals banking information and is also used to steal other types of data. Once a system is infected with GameOver Zeus, Upatre will also download CryptoLocker. Finally, CryptoLocker encrypts files on the infected system, and requests that a ransom be paid.

The close ties between ransomware and other types of malware were demonstrated through the recent botnet disruption operation against GameOver Zeus, which also proved effective against CryptoLocker. In June 2014, an international law enforcement operation successfully weakened the infrastructure of both GameOver Zeus and CryptoLocker.


Ransomware doesn’t only target home users; businesses can also become infected with ransomware, which can have negative consequences, including:

  • Temporary or permanent loss of sensitive or proprietary information;
  • Disruption to regular operations;
  • Financial losses incurred to restore systems and files; and
  • Potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.


Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.

US-CERT and CCIRC recommend users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Maintain up-to-date anti-virus software.
  • Keep your operating system and software up-to-date with the latest patches.
  • Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
  • Use caution when opening email attachments. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams.
  • Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.

Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report instances of fraud to the FBI at the Internet Crime Complaint Center or contact the CCIRC .

References Revision History
  • October 22, 2014: Initial Release
  • October 24, 2014: Minor edit to the reference section

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: news, security

Ubuntu: 2387-1: pollinate update - Wed, 2014-10-22 12:19 The certificate bundled with pollinate has been refreshed.
Categories: linux, news, security

Red Hat: 2014:1690-01: python-backports-ssl_match_hostname: Low Advisory - Wed, 2014-10-22 10:02 An updated python-backports-ssl_match_hostname package that fixes one security issue is now available for Red Hat Enterprise Linux OpenStack Platform 4.0. [More...]
Categories: linux, news, security