Jun 30 2014

Millions of dynamic DNS users suffer after Microsoft seizes No-IP domains

Millions of legitimate servers that rely on dynamic domain name services from No-IP.com suffered outages on Monday after Microsoft seized 22 domain names it said were being abused in malware-related crimes against Windows users.

Microsoft enforced a federal court order making the company the domain IP resolver for the No-IP domains. Microsoft said the objective of the seizure was to identify and reroute traffic associated with two malware families that abused No-IP services. Almost immediately, end users, some of which were actively involved in Internet security, castigated the move as heavy handed, since there was no evidence No-IP officially sanctioned or actively facilitated the malware campaign, which went by the names Bladabindi (aka NJrat) and Jenxcus (aka NJw0rm).

"By becoming the DNS authority for those free dynamic DNS domains, Microsoft is now effectively in a position of complete control and is now able to dictate their configuration," Claudio Guarnieri, co-founder of Radically Open Security, wrote in an e-mail to Ars Technica. "Microsoft fundamentally swept away No-IP, which has seen parts of its own DNS infrastructure legally taken away."

Read 8 remaining paragraphs | Comments

Jun 30 2014

Active malware operation let attackers sabotage US energy industry


Researchers have uncovered a malware campaign that gave attackers the ability to sabotage the operations of energy grid owners, electricity generation firms, petroleum pipelines, and industrial equipment providers.

Called Dragonfly, the hacking group managed to install one of two remote access trojans (RATs) on computers belonging to energy companies located in the US and at least six European countries, according to a research report published Monday by Symantec. One of the RATs, called Havex, was spread by hacking the websites of companies selling software used in industrial control systems (ICS) and waiting for companies in the energy and manufacturing industries to install booby-trapped versions of the legitimate apps.

"This campaign follows in the footsteps of Stuxnet, which was the first known major malware campaign to target ICS systems," the Symantec report stated. "While Stuxnet was narrowly targeted at the Iranian nuclear program and had sabotage as its primary goal, Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required."

Read 5 remaining paragraphs | Comments

Jun 30 2014

Dragonfly: Western Energy Companies Under Sabotage Threat

Cyberespionage campaign stole information from targets and had the capability to launch sabotage operations.

Jun 30 2014

Microsoft Kills Security Emails, Blames Canada

In a move that may wind up helping spammers, Microsoft is blaming a new Canadian anti-spam law for the company’s recent decision to stop sending regular emails about security updates for its Windows operating system and other Microsoft software.

keepcalmblamecanadaUpdate, 5:39 p.m. ET: In an apparent reversal, Microsoft now says it will be re-instating the security notifications via email. Please read the update at the end of this post.

Original story:

Last week, Microsoft sent the following notice to IT professionals and others who have signed up to receive email notices of security updates:

As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following:”

* Security bulletin advance notifications
* Security bulletin summaries
* New security advisories and bulletins
* Major and minor revisions to security advisories and bulletins

“In lieu of email notifications, you can subscribe to one or more of the RSS feeds described on the Security TechCenter website.”

“For more information, or to sign up for an RSS feed, visit the Microsoft Technical Security Notifications webpage at http://technet.microsoft.com/security/dd252948.”

Asked about the reason for the change, a Microsoft spokesperson said email communication was suspended to comply with a new Canadian anti-spam law that takes effect on July 1, 2014.

Some anti-spam experts who worked very closely on Canada’s Anti-Spam Law (CASL) say they are baffled by Microsoft’s response to a law which has been almost a decade in the making.

Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email (CAUCE), said CASL contains carve-outs for warranty and product safety and security alerts that would more than adequately exempt the Microsoft missives from the regulation.

Indeed, an exception in the law says it does not apply to commercial electronic messages that solely provide “warranty information, product recall information or safety or security information about a product, goods or a service that the person to whom the message is sent uses, has used or has purchased.

“I am at a complete and total loss to understand how the people in Redmond made such an apparently panicked decision,” Schwartzman said,” noting that Microsoft was closely involved in the discussions in the Canadian parliament over the bill’s trajectory and content. “This is the first company I know of that’s been that dumb.”

Schwartzman said many companies have used CASL as an excuse to freshen up their email lists and to re-engage their customers. Some have even gone so far as to enter respondents who verify that they still want to receive email communications from a company into drawings for cash prizes and other giveaways.

“Over the past couple of weeks, I’ve seen nothing but a steady stream of reconfirmation mails from various companies,” he said. “I’m now in the running for several $500 dollar gift certificates because I confirmed my email. And at the bottom of each of these messages is a note that says ‘please ignore this offer if you’re not Canadian.’”

CAUCE board member Jeff Williams, a former group program manager at Microsoft’s Malware Protection Center, chalked Microsoft’s decision up to a little more than a tough call.

“I can imagine the discussion and wondering among the lawyers and [Microsoft] whether they should try to get hundreds of millions of opt-ins before June 30 or if they should change the way they share info,” Williams said. “I’m sure it wasn’t an wasn’t an easy decision, but I wouldn’t call it an overreaction.”

In addition to pushing notices about new updates out via Microsoft’s RSS feeds, the company also appears to be making the security email alerts available to users who have Live, Outlook or Hotmail accounts with Microsoft. And of course, readers can continue to rely on KrebsOnSecurity to feature information on any new security updates available from Microsoft, including each Patch Tuesday bundle as well as emergency, “out-of-band” updates released to address zero-day security threats.

Update, 5:40 p.m. ET: In an apparent reversal of its decision, Microsoft now says it will be re-starting its security notifications via email early next month. From a Microsoft’s spokesperson: “On June 27, 2014, Microsoft notified customers that we were suspending Microsoft Security Notifications due to changing governmental policies concerning the issuance of automated electronic messaging. We have reviewed our processes and will resume these security notifications with our monthly Advanced Notification Service (ANS) on July 3, 2014.”