STE WILLIAMS

We’ve seen a resurgence in interest in the CryptoLocker ransomware, not least because the UK’s National Cybercrime Unit (NCU) put out a warning about it yesterday.

The NCU burst onto the cybercrime fighting scene as part of the UK’s newly formed National Crime Agency (NCA), which became operational just a month ago, on 07 October 2013.

The NCA is part of the UK’s effort to tackle organised crime, including crimes launched by electronic means.

And CryptoLocker has been a strange baptism of fire for the agency dubbed by some “the British FBI.”

What CryptoLocker does

If you’ve been following the story, you’ll know that CryptoLocker is malware that deliberately scrambles your precious data files, such as documents and spreadsheets, and offers to sell you a decryption key to get them back.

The price the crooks are charging is currently hundreds of pounds.

Of course, if you have a decent anti-virus, you’re unlikely to get infected in the first place, and if you have a decent backup you should be able to recover your data even if the worst happens.

But if you don’t, then you’re stuck.

As far as we can tell so far, the crooks who are operating the CryptoLocker crimeware haven’t left any holes or backdoors by which you can recover your data without paying up:

• The decryption key is different for each victim, so you can’t share your key with the next guy.
• The encryption used is strong enough that it can be considered impossible to crack.
• The crooks don’t let your key out of their sight until payment is received.
• No-one, to the best of our knowledge, has been able to get into the crooks’ own network to recover the keys.

Why the risk is high

Even though CryptoLocker is already well known, having made headlines for several weeks, and and tips on how to avoid it have been widely publicised, things may yet get worse.

The NCA’s recent alert warns that emails containing infectious attachments “may be sent out to tens of millions of UK customers, but appear to be targeting small and medium businesses in particular.”

The attachments are often disguised, warns the NCA, as files that sound important enough to open, but not of a sort usually associated with viruses and malware, “for example, a voicemail, fax, details of a suspicious transaction or invoices for payment.”

Of course, crooks have known for years that attachments can be made to look like images, or audio files, or documents, by giving them names like VOICEMAIL.MP3.EXE or INVOICE_SCAN.JPG.EXE.

You see VOICEMAIL.MP3, which seems innocent enough, but Windows sees VOICEMAIL.MP3.EXE – in other words, an executable file, better known as a program.

So instead of firing up your media player, opening the attachment runs the malware.

How you can help

Even if we can’t find the crooks to stop the ransom process and get back all the keys created so far, we don’t have to be victims.

If you are the go-to IT expert for your friends and family, you can help:

• Warn your friends about the dangers of unsolicited email attachments.
• Check that they have a proper anti-virus and are keeping it up-to-date.
• Show them how to make backup copies of their precious files and to store the backups safely.
• Make sure they keep up-to-date with patches for their operating system and software.
• Get them to read up about CryptoLocker so they are in no doubt about the risk.
• Use CryptoLocker as evidence why prevention is better than cure.

GET INFORMATION AND ADVICE

If you are looking for useful material to use in advising your friends and family, Naked Security has the following excellent resources at hand:

• How CryptoLocker works.

• CryptoLocker prevention, cleanup and recovery.

• A video showing CryptoLocker in action.

• Five tips for protecting against ransomware

Remember: an ounce of prevention is worth a pound – in this case, hundreds of pounds – of cure.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/en5PUU5irUo/

5 ways to reduce advertising network latency

Entities using the name and iconography of Anonymous (EUTNAIOA) and claiming to come from the USA have threatened a series of online attacks against the Japanese government in protest at the continued practice of dolphin hunting in the small town of Taiji.

The online collective launched its OpKillingBay campaign last week and has already released a list of government sites it intends to DDoS.

These include the Ministry of Agriculture, Forestry Fisheries; the Prime Minister’s Office; and the Ministry of Foreign Affairs, as well as the official site of Taiji town.

It is claiming to be preparing a Day of Action on December 1st to protest the dolphin hunt, which is likely to involve further attempts at DDoS-ing and/or defacing the sites.

EUTNAIOA USA also said it would release intercepted government communications apparently revealing a secret program, dubbed DevoX, involving the export of dolphin meat disguised as tinned tuna.

It claims officials in Taiji have bribed central government to allow this export trade, which it says pulls in annual sales of over $850m. The meat is sold by “big name” companies who are complicit in the trade, mainly to Western buyers, the group said.

Meat from dolphins caught in the area is thought to contain potentially dangerously high levels of mercury.

Taiji was made infamous by the 2005 documentary, The Cove, which depicted in graphic scenes the annual slaughter of thousands of dolphins from September to April.

The town has been a centre for dolphin hunting and whaling for hundreds of years, in compliance with Japanese law. ®

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/18/anonymous_dolphin_hunting_taiji_attack/

Quick guide to disaster recovery in the cloud

Entities using the name and iconography of Anonymous (EUTNAIOA) and claiming to be the Indonesian branch of the movement have accused entities using the name and iconography of Anonymous and claiming to be the Australian branch of the movement of attacks on Indonesia’s national airline Garuda and other hostile actions.

Were using the rather silly language above because when we last week reported on a threat from Entities using the … let’s just shorten that to EUTNAIOA from now on … EUTNAIOA Australia to EUTNAIOA Indonesia, anons from around the world ridiculed the story and pointed out that one of the movement’s mottos is “United as one, divided by zero.”

Anon vs. Anon is therefore impossible, they suggested, and our story was bunk.

How then to explain the Tweets below from the @anon_indonesia account?

jangan lupakan ada pihak ke 3 yg membantu kita. pihak ke 3 yg memanfaatkan situasi konflik indonesia-australia yaitu anonymous international

— Anonymous Indonesia (@anon_indonesia) November 11, 2013

(Translation: It is wishful to forget that there are three parties to assist us. 3rd party who exploit Indonesia-conflict situations is anonymous international Australia)

ada berita Anon Australia mengklaim hack situs garuda indonesia tp hnya leak DB tanya knp? krn g nemu admin page utk upload file defacean :P

— Anonymous Indonesia (@anon_indonesia) November 15, 2013

(Translation: Anon Australia claims to have hacked Garuda Indonesia website, but only to leak the database. Why? Because they could not find the administration page to upload the deface file)

One explanation comes from EUTNAIOA Australia, which has denied the allegations in the tweets above and says the Indonesian press, especiallymerdeka.com/, is telling porkies about the true situation.

“We do not want to war,” EUTNAIOA Australia say in the a video. “We only wish to join together and expose our governments, not harm each other. There has been a lot of [sic] propoganda and misleading lies that has been said by the Indonesian community.”

It’s hard to say if either nation’s EUTNAIOA truly understands what’s going on here. Perhaps it’s all best understood as a division by zero error? ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/17/anonymous_indonesia_claims_attacks_by_anonymous_australia/

Tags: 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, Adobe, Amazon, batey, bletchley, bletchley park, CVV, data breach, Encryption, enigma, Facebook, LoyaltyBuild, mavis batey, password, reset, ww2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mA6QW4QVwHI/

Firefox just pushed out a minor browser update, bumping its version number from 25.0 to 25.0.1.

I don’t allow Firefox full autonomy over my updates, preferring to use the Check but let me choose option, so I was presented with a now-familiar popup to let me know what was on offer:

A security and stability update for Firefox is available: Firefox 25.0.1. It is strongly recommended that you apply this update for Firefox as soon as possible.

“There’s not much point,” I thought, “in using Let me choose if I don’t do some reading first, even though I almost always decided to board the update train at once.”

The Release Notes reiterated the security-related importance of the update:

FIXED – 25.0.1: New security fixes can be found here [link]

And the Known Vulnerabilities page listed five critical, three high and two moderate security advisories:

Eagle-eyed readers, however, will notice that these look very much like the bugs that were fixed in 25.0.

In fact, they are the security fixes from 25.0, all of them listed as patched on 29 October 2013.

A small mystery, to be sure, but not an encouraging one for users who like to read, learn and understand more about security patches before applying them.

What happened?

Perhaps there weren’t actually any security fixes, but Mozilla’s release boilerplate just assumed that there probably would be, and warned you anyway?

Or perhaps there were security fixes, but Mozilla released the update and published all the boilerplate pages before updating the pages to which they link?

→ Apple takes the latter course most of the time: you get a link to a generic security page (Apple’s well-known landing page HT1222) that usually only gets updated later with the link you really want. Let’s hope Mozilla hasn’t copied Apple’s often laboured and sluggish disclosure strategy.

What to do?

As you can probably guess, I just shrugged and boarded the train.

The update was only 236KB, so there wasn’t a lot to it, and everything seemed to work.

Is this the way of the future?

In a recent Chet Chat podcast, fellow Naked Security writer Chester Wisniewski asked that very same question, albeit in a slightly different way.

Chet coined the term local cloud as a light-hearted way of describing applications that you install and run locally, but which might as well not have a version number because they just update automatically over the internet, on a schedule to suit themselves.

In other words, local cloud applications are like cloud apps in the sense that “you get what you get,” even though they load and run offline, and you don’t need to run them in a browser.

Google’s Chrome is as good as there already; Apple’s iOS and Mozilla’s Firefox are getting pretty close.

Android is as good as there, too, with the added confusion that different Google partners and providers push out their updates at wildly varying times. (Some Android devices never get the latest updates at all, sometimes leaving them vulnerable indefinitely, perhaps to enormous security holes).

Is this a good thing?

Take a listen to the discussion in the podcast, and let us know what you think.

(We start talking about Android at 6’01” and about the local cloud concept at 9’48”.)

Audio player above not working for you? Download to listen offline, or listen on Soundcloud.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/t78k-rO88oE/

We’ve seen a resurgence in interest in the CryptoLocker ransomware, not least because the UK’s National Cybercrime Unit (NCU) put out a warning about it yesterday.

The NCU burst onto the cybercrime fighting scene as part of the UK’s newly formed National Crime Agency (NCA), which became operational just a month ago, on 07 October 2013.

The NCA is part of the UK’s effort to tackle organised crime, including crimes launched by electronic means.

And CryptoLocker has been a strange baptism of fire for the agency dubbed by some “the British FBI.”

What CryptoLocker does

If you’ve been following the story, you’ll know that CryptoLocker is malware that deliberately scrambles your precious data files, such as documents and spreadsheets, and offers to sell you a decryption key to get them back.

The price the crooks are charging is currently hundreds of pounds.

Of course, if you have a decent anti-virus, you’re unlikely to get infected in the first place, and if you have a decent backup you should be able to recover your data even if the worst happens.

But if you don’t, then you’re stuck.

As far as we can tell so far, the crooks who are operating the CryptoLocker crimeware haven’t left any holes or backdoors by which you can recover your data without paying up:

• The decryption key is different for each victim, so you can’t share your key with the next guy.
• The encryption used is strong enough that it can be considered impossible to crack.
• The crooks don’t let your key out of their sight until payment is received.
• No-one, to the best of our knowledge, has been able to get into the crooks’ own network to recover the keys.

Why the risk is high

Even though CryptoLocker is already well known, having made headlines for several weeks, and and tips on how to avoid it have been widely publicised, things may yet get worse.

The NCA’s recent alert warns that emails containing infectious attachments “may be sent out to tens of millions of UK customers, but appear to be targeting small and medium businesses in particular.”

The attachments are often disguised, warns the NCA, as files that sound important enough to open, but not of a sort usually associated with viruses and malware, “for example, a voicemail, fax, details of a suspicious transaction or invoices for payment.”

Of course, crooks have known for years that attachments can be made to look like images, or audio files, or documents, by giving them names like VOICEMAIL.MP3.EXE or INVOICE_SCAN.JPG.EXE.

You see VOICEMAIL.MP3, which seems innocent enough, but Windows sees VOICEMAIL.MP3.EXE – in other words, an executable file, better known as a program.

So instead of firing up your media player, opening the attachment runs the malware.

How you can help

Even if we can’t find the crooks to stop the ransom process and get back all the keys created so far, we don’t have to be victims.

If you are the go-to IT expert for your friends and family, you can help:

• Warn your friends about the dangers of unsolicited email attachments.
• Check that they have a proper anti-virus and are keeping it up-to-date.
• Show them how to make backup copies of their precious files and to store the backups safely.
• Make sure they keep up-to-date with patches for their operating system and software.
• Get them to read up about CryptoLocker so they are in no doubt about the risk.
• Use CryptoLocker as evidence why prevention is better than cure.

GET INFORMATION AND ADVICE

If you are looking for useful material to use in advising your friends and family, Naked Security has the following excellent resources at hand:

• How CryptoLocker works.

• CryptoLocker prevention, cleanup and recovery.

• A video showing CryptoLocker in action.

• Five tips for protecting against ransomware

Remember: an ounce of prevention is worth a pound – in this case, hundreds of pounds – of cure.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/aqV-6OBjQCM/

Firefox just pushed out a minor browser update, bumping its version number from 25.0 to 25.0.1.

I don’t allow Firefox full autonomy over my updates, preferring to use the Check but let me choose option, so I was presented with a now-familiar popup to let me know what was on offer:

A security and stability update for Firefox is available: Firefox 25.0.1. It is strongly recommended that you apply this update for Firefox as soon as possible.

“There’s not much point,” I thought, “in using Let me choose if I don’t do some reading first, even though I almost always decided to board the update train at once.”

The Release Notes reiterated the security-related importance of the update:

FIXED – 25.0.1: New security fixes can be found here [link]

And the Known Vulnerabilities page listed five critical, three high and two moderate security advisories:

Eagle-eyed readers, however, will notice that these look very much like the bugs that were fixed in 25.0.

In fact, they are the security fixes from 25.0, all of them listed as patched on 29 October 2013.

A small mystery, to be sure, but not an encouraging one for users who like to read, learn and understand more about security patches before applying them.

What happened?

Perhaps there weren’t actually any security fixes, but Mozilla’s release boilerplate just assumed that there probably would be, and warned you anyway?

Or perhaps there were security fixes, but Mozilla released the update and published all the boilerplate pages before updating the pages to which they link?

→ Apple takes the latter course most of the time: you get a link to a generic security page (Apple’s well-known landing page HT1222) that usually only gets updated later with the link you really want. Let’s hope Mozilla hasn’t copied Apple’s often laboured and sluggish disclosure strategy.

What to do?

As you can probably guess, I just shrugged and boarded the train.

The update was only 236KB, so there wasn’t a lot to it, and everything seemed to work.

Is this the way of the future?

In a recent Chet Chat podcast, fellow Naked Security writer Chester Wisniewski asked that very same question, albeit in a slightly different way.

Chet coined the term local cloud as a light-hearted way of describing applications that you install and run locally, but which might as well not have a version number because they just update automatically over the internet, on a schedule to suit themselves.

In other words, local cloud applications are like cloud apps in the sense that “you get what you get,” even though they load and run offline, and you don’t need to run them in a browser.

Google’s Chrome is as good as there already; Apple’s iOS and Mozilla’s Firefox are getting pretty close.

Android is as good as there, too, with the added confusion that different Google partners and providers push out their updates at wildly varying times. (Some Android devices never get the latest updates at all, sometimes leaving them vulnerable indefinitely, perhaps to enormous security holes).

Is this a good thing?

Take a listen to the discussion in the podcast, and let us know what you think.

(We start talking about Android at 6’01” and about the local cloud concept at 9’48”.)

Audio player above not working for you? Download to listen offline, or listen on Soundcloud.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/p0we9nh-iXE/

Disaster recovery protection level self-assessment

The infamous Cryptolocker malware, which encrypts your computer files and demands a payment of £534 ($860) to unlock them, may have been sent to “tens of millions” of Brits, Blighty’s crime-busters warned today.

According to an alert from the UK National Crime Agency (NCA), a fresh round of ransomware-loaded spam posing as bank notices has been sent out, with small and medium-sized businesses targeted in particular. The messages, described as a “significant risk”, carry booby-trapped attachments and claim to be official documents from financial institutions.

Lurking within the attachments is a Trojan called Cryptolocker that, when executed, silently installs itself and quietly begins encrypting documents one by one on the Windows PC using tough-as-nails AES256. When it’s finished, it demands a ransom payment of 2 Bitcoins (at least 500 quid or 800 bucks) to decrypt the data, which must be paid within a time limit.

The software nasty is particularly fiendish: The malware first contacts its master’s control server, which generates a new public-private 2048-bit RSA cryptographic key pair and sends the public half to the malware.

Then for every file discovered on the computer, Cryptolocker generates a new 256-bit key and uses it to encrypt that document using the virtually unbreakable AES256 algorithm. That AES key is then encrypted using the RSA public key and stored with the obfuscated document.

Only when the victim pays up does the Trojan download the private half of the RSA key, which is used to decrypt the per-file AES keys and ultimately restore all the protected documents. Targeted files include anything with .doc, .docx, .xls, .xlsx, .ppt, .pptx, .dwg, .dxf, .dxg and .jpg extensions and plenty more.

Users are urged to maintain regular backups of their data, kept separate from their computers, as the encryption is essentially uncrackable, and consider using tools to thwart the software nasty. The Trojan infects systems running Windows 8, Windows 7, Vista, and XP.

“The emails may be sent out to tens of millions of UK customers, but appear to be targeting small and medium businesses in particular,” the UK’s NCA said.

“This spamming event is assessed as a significant risk.”

Cryptolocker’s operators are also apparently developing a keen sense of economic opportunism, upping their Bitcoin demands at a time when the digital currency’s exchange rate has never been higher.

While authorities have yet to finger any suspects behind the Cryptolocker epidemic, the NCA believes the operation is the work of a tech-savvy crime ring.

“The NCA are actively pursuing organized crime groups committing this type of crime,” said Les Miles, deputy head of the NCA’s National Cyber Crime Unit.

“We are working in cooperation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public.”

In addition to installing and updating trusted security software, users and administrators can protect against infections by using best practices (read: common sense) such as avoiding links and attachments from unknown or suspicious sources and scanning all attached files for malware. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/15/cryptolocker_menace_triggers_nca_alert/

Tags: 60 Sec Security, 60 Second Security, 60 Seconds, 60SS, Adobe, Amazon, batey, bletchley, bletchley park, CVV, data breach, Encryption, enigma, Facebook, LoyaltyBuild, mavis batey, password, reset, ww2

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/RYaxd3Z8xwI/

Disaster recovery protection level self-assessment

The infamous Cryptolocker malware, which encrypts your computer files and demands a payment of £534 ($860) to unlock them, may have been sent to “tens of millions” of Brits, Blighty’s crime-busters warned today.

According to an alert from the UK National Crime Agency (NCA), a fresh round of ransomware-loaded spam posing as bank notices has been sent out, with small and medium-sized businesses targeted in particular. The messages, described as a “significant risk”, carry booby-trapped attachments and claim to be official documents from financial institutions.

Lurking within the attachments is a Trojan called Cryptolocker that, when executed, silently installs itself and quietly begins encrypting documents one by one on the Windows PC using tough-as-nails AES256. When it’s finished, it demands a ransom payment of 2 Bitcoins (at least 500 quid or 800 bucks) to decrypt the data, which must be paid within a time limit.

The software nasty is particularly fiendish: The malware first contacts its master’s control server, which generates a new public-private 2048-bit RSA cryptographic key pair and sends the public half to the malware.

Then for every file discovered on the computer, Cryptolocker generates a new 256-bit key and uses it to encrypt that document using the virtually unbreakable AES256 algorithm. That AES key is then encrypted using the RSA public key and stored with the obfuscated document.

Only when the victim pays up does the Trojan download the private half of the RSA key, which is used to decrypt the per-file AES keys and ultimately restore all the protected documents. Targeted files include anything with .doc, .docx, .xls, .xlsx, .ppt, .pptx, .dwg, .dxf, .dxg and .jpg extensions and plenty more.

Users are urged to maintain regular backups of their data, kept separate from their computers, as the encryption is essentially uncrackable, and consider using tools to thwart the software nasty. The Trojan infects systems running Windows 8, Windows 7, Vista, and XP.

“The emails may be sent out to tens of millions of UK customers, but appear to be targeting small and medium businesses in particular,” the UK’s NCA said.

“This spamming event is assessed as a significant risk.”

Cryptolocker’s operators are also apparently developing a keen sense of economic opportunism, upping their Bitcoin demands at a time when the digital currency’s exchange rate has never been higher.

While authorities have yet to finger any suspects behind the Cryptolocker epidemic, the NCA believes the operation is the work of a tech-savvy crime ring.

“The NCA are actively pursuing organized crime groups committing this type of crime,” said Les Miles, deputy head of the NCA’s National Cyber Crime Unit.

“We are working in cooperation with industry and international partners to identify and bring to justice those responsible and reduce the risk to the public.”

In addition to installing and updating trusted security software, users and administrators can protect against infections by using best practices (read: common sense) such as avoiding links and attachments from unknown or suspicious sources and scanning all attached files for malware. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/15/cryptolocker_menace_triggers_nca_alert/