From security em unicamp.br Wed Nov 6 12:02:43 2013 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 6 Nov 2013 14:02:43 +0000 Subject: [SECURITY-L] US-CERT@ncas.us-cert.gov: TA13-309A: CryptoLocker Ransomware Infections Message-ID: <20131106140243.GC4242@unicamp.br> ----- Forwarded message from US-CERT ----- Date: Wed, 06 Nov 2013 07:48:27 -0600 From: US-CERT To: security em unicamp.br Subject: TA13-309A: CryptoLocker Ransomware Infections NCCIC / US-CERT National Cyber Awareness System: TA13-309A: CryptoLocker Ransomware Infections [ https://www.us-cert.gov/ncas/alerts/TA13-309A ] 11/05/2013 10:58 AM EST Original release date: November 05, 2013 | Last revised: November 06, 2013 Systems Affected Microsoft Windows systems running Windows 7, Vista, and XP operating systems Overview US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments. Description CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground. Impact The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers? command and control (C2) server to deposit the asymmetric private encryption key out of the victim?s reach. Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key. While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key. US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3) [ http://www.ic3.gov ]. Solution *Prevention* US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection: * Do not follow unsolicited web links in email messages or submit any information to webpages in links * Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments [ http://www.us-cert.gov/ncas/tips/st04-010 ] for more information on safely handling email attachments * Maintain up-to-date anti-virus software * Perform regular backups of all systems to limit the impact of data and/or system loss * Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity * Secure open-share drives by only allowing connections from authorized users * Keep your operating system and software up-to-date with the latest patches * Refer to the Recognizing and Avoiding Email Scams [ http://www.us-cert.gov/sites/default/files/publications/emailscams_0905.pdf ] (pdf) document for more information on avoiding email scams * Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks [ http://www.us-cert.gov/ncas/tips/st04-014 ] for more information on social engineering attacks *Mitigation* US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware: * Immediately disconnect the infected system from the wireless or wired network. This may prevent the malware from further encrypting any more files on the network * Users who are infected should change all passwords AFTER removing the malware from their system * Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or users can retrieve encrypted files by the following methods: * Restore from backup, * Restore from a shadow copy or * Perform a system restore. References * CryptoLocker Virus: New Malware Holds Computers For Ransom, Demands $300 Within 100 Hours And Threatens To Encrypt Hard Drive [ http://www.ibtimes.com/cryptolocker-virus-new-malware-holds-computers-ransom-demands-300-within-100-hours-threatens-encrypt ] * CryptoLocker Wants Your Money! [ http://www.securelist.com/en/blog/208214109/CryptoLocker_Wants_Your_Money ] * CryptoLocker ransomware ? see how it works, learn about prevention, cleanup and recovery [ http://nakedsecurity.sophos.com/2013/10/18/CryptoLocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/ ] * Microsoft Support ? Description of the Software Restriction Policies in Windows XP [ http://support.microsoft.com/kb/310791 ] * Microsoft Software Restriction Policies Technical Reference ? How Software Restriction Policies Work [ http://technet.microsoft.com/en-us/library/cc786941%28v=ws.10%29.aspx ] * CryptoLocker Ransomware Information Guide and FAQ [ http://www.bleepingcomputer.com/virus-removal/CryptoLocker-ransomware-information ] Revision History * Initial ________________________________________________________________________ This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [ http://www.us-cert.gov/privacy/ ] policy. ________________________________________________________________________ OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ] SUBSCRIBER SERVICES: Manage Preferences [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true ] | Unsubscribe [ https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.6a6fc2cec2b9952ff27f6db27530aead&destination=security em unicamp.br ] | Help ________________________________________________________________________ This email was sent to security em unicamp.br using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery [ http://www.govdelivery.com/portals/powered-by ] ----- End forwarded message ----- From security em unicamp.br Wed Nov 13 09:01:28 2013 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 13 Nov 2013 11:01:28 +0000 Subject: [SECURITY-L] [US-CERT@ncas.us-cert.gov: Philippines Typhoon Disaster Email Scams and Phishing Attack Warning] Message-ID: <20131113110128.GA7368@unicamp.br> ----- Forwarded message from US-CERT ----- Date: Tue, 12 Nov 2013 13:16:04 -0600 From: US-CERT To: security em unicamp.br Subject: Philippines Typhoon Disaster Email Scams and Phishing Attack Warning NCCIC / US-CERT National Cyber Awareness System: Philippines Typhoon Disaster Email Scams and Phishing Attack Warning [ https://www.us-cert.gov/ncas/current-activity/2013/11/12/Philippines-Typhoon-Disaster-Email-Scams-Fake-Antivirus-and ] 11/12/2013 09:57 AM EST Original release date: November 12, 2013 After a natural disaster phishing emails and websites requesting donations for bogus charitable organizations begin to appear. Users should be aware of potential email scams and phishing attacks regarding the recent Philippines Typhoon disaster. Email scams may contain links or attachments which may direct users to phishing or malware-laden websites. US-CERT encourages users to take the following measures to protect themselves: * Do not follow unsolicited web links or attachments in email messages * Maintain up-to-date antivirus software * Review the Recognizing Fake Antivirus [ http://www.us-cert.gov/ncas/tips/ST10-001 ] document for additional information on recognizing fake antivirus. * Refer to the Avoiding Social Engineering and Phishing Attacks [ http://www.us-cert.gov/ncas/tips/ST04-014 ] document for additional information on social engineering attacks. * Refer to the Recognizing and Avoiding Email Scams [ http://www.us-cert.gov/security-publications/recognizing-and-avoiding-email-scams ] (pdf) document for additional information on avoiding email scams. * Review the Federal Trade Commission?s Charity Checklist [ http://www.consumer.ftc.gov/articles/0074-giving-charity ]. * Verify the legitimacy of the email by contacting the organization directly through a trusted contact number. Trusted contact information can be found on the Better Business Bureau?s National Charity Report Index [ http://www.bbb.org/charity-reviews/national/ ]. US-CERT will provide additional information as it becomes available. ________________________________________________________________________ This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [ http://www.us-cert.gov/privacy/ ] policy. ________________________________________________________________________ OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ] SUBSCRIBER SERVICES: Manage Preferences [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true ] | Unsubscribe [ https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.6a6fc2cec2b9952ff27f6db27530aead&destination=security em unicamp.br ] | Help ________________________________________________________________________ This email was sent to security em unicamp.br using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery [ http://www.govdelivery.com/portals/powered-by ] ----- End forwarded message ----- From security em unicamp.br Wed Nov 13 09:02:39 2013 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 13 Nov 2013 11:02:39 +0000 Subject: [SECURITY-L] [US-CERT@ncas.us-cert.gov: Microsoft Addresses New Watering Hole Attack in the November, 2013 Security Bulletin Release] Message-ID: <20131113110239.GB7368@unicamp.br> ----- Forwarded message from US-CERT ----- Date: Tue, 12 Nov 2013 13:26:38 -0600 From: US-CERT To: security em unicamp.br Subject: Microsoft Addresses New Watering Hole Attack in the November, 2013 Security Bulletin Release NCCIC / US-CERT National Cyber Awareness System: Microsoft Addresses New Watering Hole Attack in the November, 2013 Security Bulletin Release [ https://www.us-cert.gov/ncas/current-activity/2013/11/12/Microsoft-Addresses-New-Watering-Hole-Attack-November-2013-Security ] 11/12/2013 01:23 PM EST Original release date: November 12, 2013 Microsoft has released updates to address vulnerabilities in Microsoft Windows, Internet Explorer and Office as part of the Microsoft Security Bulletin Summary for November, 2013 [ http://technet.microsoft.com/en-us/security/bulletin/ms13-nov ]. These vulnerabilities could allow remote code execution, elevation of privilege, information disclosure or denial of service. The November Security Bulletin includes a patch for the new ?watering hole? campaign which utilizes a US-based website that specializes in domestic and international security policy. US-CERT encourages users and administrators to review the bulletin [ http://technet.microsoft.com/en-us/security/bulletin/ms13-nov ] and follow best practice security policies to determine which updates should be applied. ________________________________________________________________________ This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [ http://www.us-cert.gov/privacy/ ] policy. ________________________________________________________________________ OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ] SUBSCRIBER SERVICES: Manage Preferences [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true ] | Unsubscribe [ https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.6a6fc2cec2b9952ff27f6db27530aead&destination=security em unicamp.br ] | Help ________________________________________________________________________ This email was sent to security em unicamp.br using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery [ http://www.govdelivery.com/portals/powered-by ] ----- End forwarded message ----- From security em unicamp.br Thu Nov 14 09:50:52 2013 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 14 Nov 2013 11:50:52 +0000 Subject: [SECURITY-L] [US-CERT@ncas.us-cert.gov: Google Releases Google Chrome 31.0.1650.48] Message-ID: <20131114115052.GC16954@unicamp.br> ----- Forwarded message from US-CERT ----- Date: Wed, 13 Nov 2013 14:10:41 -0600 From: US-CERT To: security em unicamp.br Subject: Google Releases Google Chrome 31.0.1650.48 NCCIC / US-CERT National Cyber Awareness System: Google Releases Google Chrome 31.0.1650.48 [ https://www.us-cert.gov/ncas/current-activity/2013/11/13/Google-Releases-Google-Chrome-310165048 ] 11/13/2013 02:30 PM EST Original release date: November 13, 2013 Google has released Google Chrome 31.0.1650.48 for Windows, Mac, Linux, and Chrome Frame to address multiple vulnerabilities. These vulnerabilities could allow a remote attacker to cause a denial of service condition or bypass intended security restrictions. US-CERT encourages users and administrators to review the Google Chrome Release blog [ http://googlechromereleases.blogspot.com/search/label/Stable%20updates ] entry and follow best practice security policies to determine which updates should be applied. ________________________________________________________________________ This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [ http://www.us-cert.gov/privacy/ ] policy. ________________________________________________________________________ OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ] SUBSCRIBER SERVICES: Manage Preferences [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true ] | Unsubscribe [ https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.6a6fc2cec2b9952ff27f6db27530aead&destination=security em unicamp.br ] | Help ________________________________________________________________________ This email was sent to security em unicamp.br using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery [ http://www.govdelivery.com/portals/powered-by ] ----- End forwarded message ----- From security em unicamp.br Mon Nov 18 11:48:32 2013 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 18 Nov 2013 13:48:32 +0000 Subject: [SECURITY-L] [US-CERT@ncas.us-cert.gov: TA13-317A: Microsoft Updates for Multiple Vulnerabilities] Message-ID: <20131118134832.GB3266@unicamp.br> ----- Forwarded message from US-CERT ----- Date: Sat, 16 Nov 2013 06:05:23 -0600 From: US-CERT To: security em unicamp.br Subject: TA13-317A: Microsoft Updates for Multiple Vulnerabilities NCCIC / US-CERT National Cyber Awareness System: TA13-317A: Microsoft Updates for Multiple Vulnerabilities [ https://www.us-cert.gov/ncas/alerts/TA13-317A ] 11/13/2013 07:12 AM EST Original release date: November 13, 2013 | Last revised: November 16, 2013 Systems Affected * Windows Operating System and Components * Microsoft Office * Internet Explorer Overview Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities. Description The Microsoft Security Bulletin Summary for November 2013 [ http://technet.microsoft.com/en-us/security/bulletin/ms13-nov ] describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities. The November Security Bulletin includes a patch for the new ?watering hole? campaign which utilizes a US-based website that specializes in domestic and international security policy. Impact These vulnerabilities could allow remote code execution, elevation of privilege, information disclosure or denial of service. Solution *Apply Updates* Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for November 2013 [ http://technet.microsoft.com/en-us/security/bulletin/ms13-nov ], which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services [ http://www.us-cert.gov/redirect?url=http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Fwsus%2Fdefault.aspx ] (WSUS). Home users are encouraged to enable automatic updates [ http://www.us-cert.gov/redirect?url=http%3A%2F%2Fwindows.microsoft.com%2Fen-us%2Fwindows-vista%2FTurn-automatic-updating-on-or-off ]. References * Microsoft Security Bulletin Summary for November 2013 [ http://technet.microsoft.com/en-us/security/bulletin/ms13-nov ] * Microsoft Windows Server Update Services [ http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx ] * Turn Automatic Updating On or Off [ http://windows.microsoft.com/en-us/windows/turn-automatic-updating-on-off#turn-automatic-updating-on-off=windows-vista ] Revision History * November 13, 2013: Initial Release ________________________________________________________________________ This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [ http://www.us-cert.gov/privacy/ ] policy. ________________________________________________________________________ OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ] SUBSCRIBER SERVICES: Manage Preferences [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true ] | Unsubscribe [ https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.6a6fc2cec2b9952ff27f6db27530aead&destination=security em unicamp.br ] | Help [ https://subscriberhelp.govdelivery.com/ ] ________________________________________________________________________ This email was sent to security em unicamp.br using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery [ http://www.govdelivery.com/portals/powered-by ] ----- End forwarded message ----- From security em unicamp.br Mon Nov 18 11:57:49 2013 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 18 Nov 2013 13:57:49 +0000 Subject: [SECURITY-L] [US-CERT@ncas.us-cert.gov: BlackBerry Releases Security Advisory] Message-ID: <20131118135749.GD3266@unicamp.br> ----- Forwarded message from US-CERT ----- Date: Thu, 14 Nov 2013 14:09:05 -0600 From: US-CERT To: security em unicamp.br Subject: BlackBerry Releases Security Advisory NCCIC / US-CERT National Cyber Awareness System: BlackBerry Releases Security Advisory [ https://www.us-cert.gov/ncas/current-activity/2013/11/14/BlackBerry-Releases-Security-Advisory ] 11/14/2013 02:36 PM EST Original release date: November 14, 2013 BlackBerry has released a security advisory to address potential vulnerabilities that affect a remote file access feature within BlackBerry Link for Blackberry 10 Operating Systems. These vulnerabilities could allow an attacker to obtain elevation of privilege or execute arbitrary code remotely. US-CERT recommends users and administrators to review the BlackBerry Security Advisory BSRT 2013-012 [ http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB35315 ] and follow best practice security policies to determine which updates should be applied. ________________________________________________________________________ This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [ http://www.us-cert.gov/privacy/ ] policy. ________________________________________________________________________ OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ] SUBSCRIBER SERVICES: Manage Preferences [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true ] | Unsubscribe [ https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.6a6fc2cec2b9952ff27f6db27530aead&destination=security em unicamp.br ] | Help ________________________________________________________________________ This email was sent to security em unicamp.br using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery [ http://www.govdelivery.com/portals/powered-by ] ----- End forwarded message ----- From security em unicamp.br Mon Nov 18 12:25:34 2013 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 18 Nov 2013 14:25:34 +0000 Subject: [SECURITY-L] [US-CERT@ncas.us-cert.gov: TA13-309A: CryptoLocker Ransomware Infections] Message-ID: <20131118142534.GF3266@unicamp.br> ----- Forwarded message from US-CERT ----- Date: Fri, 15 Nov 2013 14:18:58 -0600 From: US-CERT To: security em unicamp.br Subject: TA13-309A: CryptoLocker Ransomware Infections NCCIC / US-CERT National Cyber Awareness System: TA13-309A: CryptoLocker Ransomware Infections [ https://www.us-cert.gov/ncas/alerts/TA13-309A ] 11/05/2013 10:58 AM EST Original release date: November 05, 2013 | Last revised: November 15, 2013 Systems Affected Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems Overview US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments. Description CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground. Impact The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers? command and control (C2) server to deposit the asymmetric private encryption key out of the victim?s reach. Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key. While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key. US-CERT and DHS encourage users and administrators experiencing a ransomware infection to report the incident to the FBI at the Internet Crime Complaint Center (IC3) [ http://www.ic3.gov ]. Solution *Prevention* US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection: * Do not follow unsolicited web links in email messages or submit any information to webpages in links * Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments [ http://www.us-cert.gov/ncas/tips/st04-010 ] for more information on safely handling email attachments * Maintain up-to-date anti-virus software * Perform regular offline backups of all systems to limit the impact of data and/or system loss * Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity * Secure open-share drives by only allowing writable access to necessary user groups or authenticated users * Keep your operating system and software up-to-date with the latest patches * Refer to the Recognizing and Avoiding Email Scams [ http://www.us-cert.gov/sites/default/files/publications/emailscams_0905.pdf ] (pdf) document for more information on avoiding email scams * Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks [ http://www.us-cert.gov/ncas/tips/st04-014 ] for more information on social engineering attacks *Mitigation* US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware: * Immediately disconnect the infected system from the wireless or wired network. This may prevent the malware from further encrypting any more files on the network * Users who are infected should change all passwords AFTER removing the malware from their system * Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or users can retrieve encrypted files by the following methods: * Restore from backup, * Restore from a shadow copy or * Perform a system restore. References * CryptoLocker Virus: New Malware Holds Computers For Ransom, Demands $300 Within 100 Hours And Threatens To Encrypt Hard Drive [ http://www.ibtimes.com/cryptolocker-virus-new-malware-holds-computers-ransom-demands-300-within-100-hours-threatens-encrypt ] * CryptoLocker Wants Your Money! [ http://www.securelist.com/en/blog/208214109/CryptoLocker_Wants_Your_Money ] * CryptoLocker ransomware ? see how it works, learn about prevention, cleanup and recovery [ http://nakedsecurity.sophos.com/2013/10/18/CryptoLocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/ ] * Microsoft Support ? Description of the Software Restriction Policies in Windows XP [ http://support.microsoft.com/kb/310791 ] * Microsoft Software Restriction Policies Technical Reference ? How Software Restriction Policies Work [ http://technet.microsoft.com/en-us/library/cc786941%28v=ws.10%29.aspx ] * CryptoLocker Ransomware Information Guide and FAQ [ http://www.bleepingcomputer.com/virus-removal/CryptoLocker-ransomware-information ] Revision History * November 5, 2013: Initial Release * November 13, 2013: Update to Systems Affected (inclusion of Windows 8) * November 15, 2013: Updates to Impact and Prevention sections. ________________________________________________________________________ This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [ http://www.us-cert.gov/privacy/ ] policy. ________________________________________________________________________ OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ] SUBSCRIBER SERVICES: Manage Preferences [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true ] | Unsubscribe [ https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.6a6fc2cec2b9952ff27f6db27530aead&destination=security em unicamp.br ] | Help ________________________________________________________________________ This email was sent to security em unicamp.br using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery [ http://www.govdelivery.com/portals/powered-by ] ----- End forwarded message ----- From security em unicamp.br Mon Nov 18 14:22:45 2013 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 18 Nov 2013 16:22:45 +0000 Subject: [SECURITY-L] [US-CERT@ncas.us-cert.gov: Google Releases Google Chrome 31.0.1650.57] Message-ID: <20131118162245.GJ3266@unicamp.br> ----- Forwarded message from US-CERT ----- Date: Mon, 18 Nov 2013 09:11:04 -0600 From: US-CERT To: security em unicamp.br Subject: Google Releases Google Chrome 31.0.1650.57 NCCIC / US-CERT National Cyber Awareness System: Google Releases Google Chrome 31.0.1650.57 [ https://www.us-cert.gov/ncas/current-activity/2013/11/18/Google-Releases-Google-Chrome-310165057 ] 11/18/2013 07:30 AM EST Original release date: November 18, 2013 Google has released Google Chrome 31.0.1650.57 for Windows, Mac, Linux and Chrome Frame to address a vulnerability. This vulnerability could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. US-CERT encourages users and administrators to review the Google Chrome Release blog [ http://googlechromereleases.blogspot.com/search/label/Stable%20updates ] entry and follow best-practice security policies to determine which updates should be applied. ________________________________________________________________________ This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [ http://www.us-cert.gov/privacy/ ] policy. ________________________________________________________________________ OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ] SUBSCRIBER SERVICES: Manage Preferences [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true ] | Unsubscribe [ https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.6a6fc2cec2b9952ff27f6db27530aead&destination=security em unicamp.br ] | Help [ https://subscriberhelp.govdelivery.com/ ] ________________________________________________________________________ This email was sent to security em unicamp.br using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery [ http://www.govdelivery.com/portals/powered-by ] ----- End forwarded message ----- From security em unicamp.br Tue Nov 19 15:04:56 2013 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 19 Nov 2013 17:04:56 +0000 Subject: [SECURITY-L] [US-CERT@ncas.us-cert.gov: Mozilla Releases Multiple Updates] Message-ID: <20131119170456.GP3266@unicamp.br> ----- Forwarded message from US-CERT ----- Date: Tue, 19 Nov 2013 08:23:11 -0600 From: US-CERT To: security em unicamp.br Subject: Mozilla Releases Multiple Updates NCCIC / US-CERT National Cyber Awareness System: Mozilla Releases Multiple Updates [ https://www.us-cert.gov/ncas/current-activity/2013/11/19/Mozilla-Releases-Multiple-Updates ] 11/19/2013 07:36 AM EST Original release date: November 19, 2013 The Mozilla Foundation has released updates for the following products to address multiple vulnerabilities. * Firefox 25.0.1 * Firefox ESR 24.1.1 * Firefox ESR 17.0.11 * Seamonkey 2.22.1 These vulnerabilities could allow a remote attacker to bypass intended security restrictions or cause a denial-of-service condition. US-CERT encourages users and administrators to review the Mozilla Foundation Advisory for Firefox 25.0.1 [ http://www.mozilla.org/security/known-vulnerabilities/firefox.html ], Firefox ESR 24.1.1 [ http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html ]., Firefox ESR 17.0.11 [ http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html ], and Seamonkey 2.22.1 [ http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html ], and apply any necessary updates to help mitigate the risk. ________________________________________________________________________ This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [ http://www.us-cert.gov/privacy/ ] policy. ________________________________________________________________________ OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ] SUBSCRIBER SERVICES: Manage Preferences [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true ] | Unsubscribe [ https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.6a6fc2cec2b9952ff27f6db27530aead&destination=security em unicamp.br ] | Help [ https://subscriberhelp.govdelivery.com/ ] ________________________________________________________________________ This email was sent to security em unicamp.br using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery [ http://www.govdelivery.com/portals/powered-by ] ----- End forwarded message ----- From security em unicamp.br Thu Nov 21 09:52:20 2013 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 21 Nov 2013 11:52:20 +0000 Subject: [SECURITY-L] [US-CERT@ncas.us-cert.gov: Holiday Season Phishing Scams and Malware Campaigns] Message-ID: <20131121115220.GS3266@unicamp.br> ----- Forwarded message from US-CERT ----- Date: Tue, 19 Nov 2013 16:10:48 -0600 From: US-CERT To: security em unicamp.br Subject: Holiday Season Phishing Scams and Malware Campaigns NCCIC / US-CERT National Cyber Awareness System: Holiday Season Phishing Scams and Malware Campaigns [ https://www.us-cert.gov/ncas/current-activity/2013/11/19/Holiday-Season-Phishing-Scams-and-Malware-Campaigns ] 11/19/2013 04:10 PM EST Original release date: November 19, 2013 As the winter holidays approach, US-CERT reminds users to stay aware of seasonal scams and cyber campaigns, which may include: * electronic greeting cards that may contain malware * requests for charitable contributions that may be phishing scams and may originate from illegitimate sources claiming to be charities * screensavers or other forms of media that may contain malware * credit card applications that may be phishing scams or identity theft attempts * online shopping advertisements that may be phishing scams or identity theft attempts from bogus retailers * shipping notifications that may be phishing scams or may contain malware US-CERT encourages users and administrators to use caution when encountering these types of email messages and take the following preventative measures to protect themselves from phishing scams and malware campaigns: * Refer to the Shopping Safely Online [ http://www.us-cert.gov/cas/tips/ST07-001.html ] Cyber Security Tip for more information on online shopping safety. * Do not follow unsolicited web links in email messages. * Use caution when opening email attachments. Refer to the Using Caution with Email Attachments [ http://www.us-cert.gov/cas/tips/ST04-010.html ] Cyber Security Tip for more information on safely handling email attachments. * Maintain up-to-date antivirus software. * Review the Federal Trade Commission's Charity Checklist [ http://www.ftc.gov/bcp/edu/pubs/consumer/telemarketing/tel01.shtm ]. * Verify charity authenticity through a trusted contact number. Trusted contact information can be found on the Better Business Bureau's National Charity Report Index [ http://charityreports.bbb.org/public/All.aspx?bureauID=9999 ]. * Refer to the Recognizing and Avoiding Email Scams [ http://www.us-cert.gov/reading_room/emailscams_0905.pdf ] (pdf) document for more information on avoiding email scams. * Refer to the Avoiding Social Engineering and Phishing Attacks [ http://www.us-cert.gov/cas/tips/ST04-014.html ] Cyber Security Tip for more information on social engineering attacks. * Refer to the Holiday Traveling with Personal Internet-Enabled Devices [ http://www.us-cert.gov/ncas/tips/ST11-001 ] Cyber Security Tip for more information on protecting personal mobile devices while traveling over the holidays. ________________________________________________________________________ This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [ http://www.us-cert.gov/privacy/ ] policy. ________________________________________________________________________ OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ] SUBSCRIBER SERVICES: Manage Preferences [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true ] | Unsubscribe [ https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.6a6fc2cec2b9952ff27f6db27530aead&destination=security em unicamp.br ] | Help [ https://subscriberhelp.govdelivery.com/ ] ________________________________________________________________________ This email was sent to security em unicamp.br using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery [ http://www.govdelivery.com/portals/powered-by ] ----- End forwarded message ----- From security em unicamp.br Fri Nov 29 10:53:48 2013 From: security em unicamp.br (CSIRT - UNICAMP) Date: Fri, 29 Nov 2013 12:53:48 +0000 Subject: [SECURITY-L] [US-CERT@ncas.us-cert.gov: Microsoft Releases Security Advisory for Microsoft Windows Kernel] Message-ID: <20131129125348.GB23527@unicamp.br> ----- Forwarded message from US-CERT ----- Date: Thu, 28 Nov 2013 14:10:32 -0600 From: US-CERT To: security em unicamp.br Subject: Microsoft Releases Security Advisory for Microsoft Windows Kernel NCCIC / US-CERT National Cyber Awareness System: Microsoft Releases Security Advisory for Microsoft Windows Kernel [ https://www.us-cert.gov/ncas/current-activity/2013/11/28/Microsoft-Releases-Security-Advisory-Microsoft-Windows-Kernel ] 11/28/2013 02:21 PM EST Original release date: November 28, 2013 Microsoft has released Security Advisory 2914486 [ http://technet.microsoft.com/en-us/security/advisory/2914486 ] to address a vulnerability in a kernel component of Windows XP and Windows Server 2003. This vulnerability could allow an attacker to obtain elevation of privilege and then execute arbitrary code. Microsoft is aware of limited, targeted attacks that attempt to exploit this vulnerability in the wild. US-CERT encourages users and administrators to review Microsoft Security Advisory 2914486 [ http://technet.microsoft.com/en-us/security/advisory/2914486 ]. Please note that the advisory indicates that the workaround does not correct the vulnerability, but it may help mitigate risk against known attack vectors. US-CERT will provide additional information as it becomes available. ________________________________________________________________________ This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy & Use [ http://www.us-cert.gov/privacy/ ] policy. ________________________________________________________________________ OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ http://www.us-cert.gov/related-resources ] STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ] SUBSCRIBER SERVICES: Manage Preferences [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true ] | Unsubscribe [ https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.6a6fc2cec2b9952ff27f6db27530aead&destination=security em unicamp.br ] | Help [ https://subscriberhelp.govdelivery.com/ ] ________________________________________________________________________ This email was sent to security em unicamp.br using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery [ http://www.govdelivery.com/portals/powered-by ] ----- End forwarded message -----