SoylentNews is people
SoylentNews
ESET's WeLiveSecurity blog has released details of Win32/Potao malware attack campaigns on high-value targets in Ukraine, Russia, Georgia and Belarus:
We presented our initial findings based on research into the Win32/Potao malware family in June, in our CCCC 2015 presentation in Copenhagen. Today, we are releasing the full whitepaper on the Potao malware with additional findings, the cyber-espionage campaigns where it was employed, and its connection to a backdoor in the form of a modified version of the TrueCrypt encryption software.
Like BlackEnergy, the malware used by the so-called Sandworm APT group (also known as Quedagh), Potao is an example of targeted espionage malware directed mostly at targets in Ukraine and a number of other post-Soviet countries, including Russia, Georgia and Belarus.
[...] An (A)PT malware family that has gone relatively unnoticed for five years and that has also been used to spy on Ukrainian governmental and military targets is certainly interesting in and of itself. However, perhaps the most attention-grabbing discovery related to this case was when we observed a connection to the popular open-source encryption software, TrueCrypt. We found out that the website truecryptrussia.ru has been serving modified versions of the encryption software that included a backdoor to selected targets. Clean versions of the application are served to normal visitors to the website, i.e. people who aren't of interest to the attackers. ESET detects the trojanized TrueCrypt as Win32/FakeTC. TrueCrypt Russia's domain was also used as a C&C server for the malware. The connection to Win32/Potao, which is a different malware family from Win32/FakeTC, is that FakeTC has been used to deliver Potao to victims' systems in a number of cases. FakeTC is not, however, merely an infection vector for Potao (and possibly other malware) but a fully functional and dangerous backdoor designed to exfiltrate files from the espionage victims' encrypted drives.
From The Register.
(Score: 3, Informative) by gnuman on Saturday August 01 2015, @03:56AM
Let this be lesson to you: verify hashes and signatures, but only after you verify that you have the correct hashes and signatures.
This doesn't save you if signatures are faked too. How many people verify that signature is valid *AND* made by correct key? No one. You didn't meet the developer and got their key in person. You can't then be sure that the key is correct key. You can only *assume*
(Score: 2) by MichaelDavidCrawford on Saturday August 01 2015, @06:10AM
The only time I ever asked anyone to sign my key, I asked two friends who should have known the difference. They downloaded my key from my website, signed it then mailed me their signed copies.
Eventually someone pointed out why I should sign my own key. I did so then uploaded it to the keysevers.
After a while I fetched my own key from a server only to find that two complete strangers had signed it. I expect they did so because they think well of me but how did that know that was _my_ key?
I'm getting ready to revoke my key then issue a new one, but because my key is so very old anyone with half a brain could have factored it by now.
I once mailed around an invite to a key signing party. My friend Richard Reich, also a consulting software engineer, replied that there was no point to it unless my party was attended by "a ballerina, a fisherman, a venture capitalist, a journalist, a refugee, a philanthropist and a NAZI".
That is if a whole bunch of people who all hang out together anyway sign each other's keys, well they can trust each others' sigs but no one else can. For that you need diversification.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Saturday August 01 2015, @12:13PM
After a while I fetched my own key from a server only to find that two complete strangers had signed it. I expect they did so because they think well of me but how did that know that was _my_ key?
That doesn't matter. Revoking key is only needed if you lose it, or *you* sign things that turned out to be fake ;)
(Score: 3, Touché) by MichaelDavidCrawford on Saturday August 01 2015, @01:15PM
Suppose you yourself trusted the keys of the two complete strangers who signed mine.
You want to send me a ciphertext, or validate my own sig on a cleartext mail, so you ask gnupg to verify that my sig is within your own web of trust.
It will be, because you trusted the two right chaps who signed the key of a complete stranger that they found on a keyserver.
But in reality, that key belongs to petergunn@cia.gov.
Does that work for you?
Yes I Have No Bananas. [gofundme.com]