Microsoft announced yesterday that it will complement the two-factor authentication it enabled for account holders in April with additional security features designed to deny account hijacking and unauthorized access.
Windows PC and mobile users, along with Outlook, SkyDrive, Xbox, Skype and other Microsoft services users will soon have three new capabilities to further prop up their accounts.
The most novel may be a dashboard view that presents a user with a log of recent activity, such as log-in attempts—including failed attempts—as well as the addition or deletion of security information and the type of device and browser used for a particular activity. Location is displayed on a map, as well as timestamp data.
“You know best what’s been happening with your account – so the more we give you tools to understand what’s happening, the better we can work together to protect your account,” wrote Eric Doerr, a group program manager at Microsoft. “For example, a login from a new country might look suspicious to us, but you might know that you were simply on vacation or on a business trip.”
Users who determine there has been suspicious or unauthorized activity can click on a “This wasn’t me” button that will then display steps the user can take to secure their accounts.
In addition, users who have already enabled two-factor authentication will be able to generate a recovery code to access their accounts without having to use the information provided during the setup of two-factor.
“Because two-step verification setup requires two verified pieces of security information, like a phone number and email address, it will be a rare occasion when both options fail, but in the event they do, we’ve got you covered,” Doerr said.
Microsoft said that any account user will be add a recovery code to their account, but users will be able to request only one recovery code at a tme; requesting a new one cancels the old one, Doerr said.
“Your recovery code is like a spare key to your house,” Doerr said. “So make sure you store it in a safe place.”
The final new feature users may expect is additional management of security notifications, such as password resets. Users will be able to select, for example, whether they want security notifications send to an email address or a mobile device via text message.
Microsoft account holders have had two-factor authentication at their disposal since April. Users are asked to provide two pieces of security information that Microsoft stores; the user will enter a password, for example, and then have a code sent to their mobile device as a second authenticator.
Microsoft also released an Authenticator app for Windows Phone; the app is built on a standard authentication protocol meaning that it could be used on other Web-based services such as those offered by Google, Dropbox and others.
Eight massive technology companies including Facebook, Apple and Google make up a new coalition calling for a reform of surveillance practices, which the companies say are undermining trust in not only their respective services, but of the Internet as a medium for communication and commerce.
The group, joined under the banner Reform Government Surveillance, co-authored an open letter to President Barack Obama and the U.S. Congress that says the surveillance of Americans in the name of national security undermines freedom.
“The balance in many countries has tipped too far in favor of the state and away from the rights of the individual—rights that are enshrined in our Constitution,” the companies wrote.
This is not the first time AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo have locked arms in protest of the National Security Agency’s activities since they were revealed starting in June in a series of documents by former NSA contractor Edward Snowden.
The tech giants have repeatedly petitioned Congress and the Attorney General for greater freedom to quantify the number of court orders—in particular those issued by the secret Foreign Intelligence Surveillance Court—requiring them to share user data with the government. Currently, National Security Letters can only be reported in bulk and in buckets of 1,000. The companies argue that just clouds transparency efforts.
The group urged government to adopt five principles it explains on its website, starting with limits on the government’s ability to compel service providers to disclose user data and stop bulk collection of Internet communication. It also calls for intelligence agencies to operate under a clear, transparent legal framework that includes independent reviewing courts, which is currently not the case with FISC.
In addition to again requesting permission to publish the number and nature of government requests for data, the group asks government to allow data to cross borders without having to worry about legal loopholes that enable government to access data stored outside the country.
Finally, the tech companies ask that governments work together to avoid conflicting laws and develop transparent legal frameworks under which governments agree to operate when it comes to requests for user data.
“Reports about government surveillance have shown there is a real need for greater disclosure and new limits on how governments collect information,” Facebook CEO Mark Zuckerberg said. “The US government should take this opportunity to lead this reform effort and make things right.”
For their part, most of the companies in question have ramped up their efforts to encrypt data and connections between data centers that were tapped by the NSA. A recent study by the Electronic Frontier Foundation of the encryption practices of a number of leading technology companies and Internet service providers showed varying levels of encryption deployments. Most, for example, already deploy HTTPS be default on all services—Yahoo is a laggard in this area, though it has announced that it will do so early in 2014. Notably fewer have deployed either HSTS or Perfect Forward Secrecy, which experts are becoming more vocal about it becoming a common accepted practice.
“The security of users’ data is critical, which is why we’ve invested so much in encryption and fight for transparency around government requests for information,” said Google CEO Larry Page. “This is undermined by the apparent wholesale collection of data, in secret and without independent oversight, by many governments around the world.”
Recent revelations just add to the gravity and depths of the NSA’s surveillance activities; the Washington Post, for example, reported last week that the agency collects five billion cell records a day.
“People won’t use technology they don’t trust,” said Brad Smith, Microsoft General Counsel. “Governments have put this trust at risk and governments need to help restore it.”
Microsoft trumpeted its disruption of the ZeroAccess peer-to-peer botnet late last week, but some experts are holding off on scheduling a celebratory ticker-tape parade.
With numerous successful takedowns of botnets with a centralized command and control infrastructure in its back pocket, Microsoft may have missed on its first crack at a P2P botnet. Security company Damballa, for one, is reporting that Microsoft targeted only the click-fraud component of the botnet and not the custom communication protocol used by ZeroAccess to distribute configuration files and new commands. Attackers, researchers say, can simply issue new configuration files to the botnet and resume operations in a relatively short amount of time.
As for the click-fraud component, Damballa researchers say that approximately 62 percent of that part of the infrastructure seems to be up and running.
“Even without updates being sent across the P2P channel, the botnet’s monetization was largely unaffected,” wrote Damballa chief scientist Manos Antonakakis and Yacin Nadji, a Ph. D. candidate at the Georgia Institute of Technology in a blog post.
Nadji told Threatpost this morning that the attackers could be up and running against shortly, needing only to acquire additional servers and domain names, then updating a text file with the new information, adding that the amount of effort required to send new configuration files is much cheaper for an attacker than rebuilding from scratch.
“If you disable the click-fraud component without disrupting the peer to peer infrastructure, the botnet masters just have to use the existing peer to peer infrastructure to send updates to say ‘Ok, don’t use this click fraud infrastructure any more, use this new one,” Nadji said. “It doesn’t eliminate the botmasters’ ability to communicate with its infected peers, so if they had asked anyone’s opinion in the security community who is familiar with this botnet, they would have been able to say this is not going to do anything.”
Peer- to-peer botnets such as ZeroAccess, Kelihos, and versions of Zeus have proven difficult to keep in check; compromised bots talk to each other rather than to a central server. Often they employ custom protocols for communication that must be decrypted before they can be analyzed. Researchers have in the past had a rough go analyzing peer to peer botnets, or even enumerating their size.
A paper released earlier this year examined these features as well as botnets’ resilience to sinkholing, injection attacks and other disruptive methods used against other botnets. According to the paper, ZeroAccess maintains its peer lists by updating them every few seconds and merging previous lists, keeping the 256 most recent peers.
ZeroAccess has been around since 2009, evolving from a platform that pushed malware to a money-making botnet. According to Microsoft and Europol, it has infected nearly two million computers all over the world and cost online advertisers upwards of $2.7 million each month. Nadji said that taking over a peer-to-peer botnet is time consuming and difficult, largely because you’d have to not only understand the custom communication protocol and encryption being used, but then you would have to advertise yourself as a node on the network and send faulty information to other bots to slowly take it over.
“Even in this case, you would have to worry about reactive botmasters. If they’re able to see if this behavior is happening on the network, they may be able to counter it in some ways,” he said.
Microsoft teamed up with Europol’s European Cybercrime Centre (EC3), the FBI, and the application networking and security firm A10 Networks to take down ZeroAccess. Microsoft filed a lawsuit against the botnet’s operators, and a Texas district court granted the tech giant permission to block incoming and outgoing traffic to 18 IP addresses found to be involved in the scam. Microsoft was also able to wrest control of 49 domains associated with ZeroAccess.
“The coordinated action taken by our partners was instrumental in the disruption of ZeroAccess; these efforts will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection,” said David Finn, executive director and associate general counsel of the Microsoft Digital Crimes Unit.
Nadji hopes to see better collaboration between not only technology companies, but law enforcement and academia to combat peer to peer botnets.
“We’ve seen some good cases (Conficker) where people from people from academia, industry and law enforcement were all working together to combat a serious threat,” Nadji said. “Those are the ones most likely to be successful. With peer to peer botnets, there needs to be a lot more work in understanding how we can effectively disable these. If (ZeroAccess takedown) was a more collaborative effort, I think we would have said ‘Hey, wait a minute, we need to handle this better if we’re actually taking down this botnet.’”
Google last week revoked digital certificates for some of its domains that had been fraudulently signed by an intermediate certificate authority with links to France’s cyber-defense agency.
The Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) claims that the spoofed Google certificates were signed by mistake and that the error had no security impact on either the French government or the general public.
“As a result of a human error which was made during a process aimed at strengthening the overall IT security of the French Ministry of Finance, digital certificates related to third-party domains which do not belong to the French administration have been signed by a certification authority of the DGTrésor (Treasury) which is attached to the [Infrastructure Management Trust Administration],” ANSSI officials published in a bulletin on their website.
Google says it first noticed the unauthorized digital certificates late on Dec. 3 and immediately updated Chrome’s certificate revocation list to block all certs issued by the intermediate authority. Google then informed the ANSSI and the other major browsers about the bad cert as well.
The bad certs were not signed by the ANSSI directly but by an intermediate authority whose certificates were signed by the ANSSI. Certificates issued by intermediate CAs are automatically trusted by browsers if the browsers already trust the root CA that signed intermediate CA’s certificate. In other words, the ANSSI issued a certificate to the offending intermediate CA, granting that intermediate CA permission to carry the full authority of the root CA, which in this case was the ANSSI. It was then the intermediate CA that created a fake certificate spoofing the one that establishes a secure connection with the Google domains in question.
“ANSSI has found that the intermediate CA certificate was used in a commercial device, on a private network, to inspect encrypted traffic with the knowledge of the users on that network,” Google security engineer Adam Langely wrote on Google’s Online Security Blog. “This was a violation of their procedures and they have asked for the certificate in question to be revoked by browsers. We updated Chrome’s revocation metadata again to implement this.”
Google says that it’s actions addressed an immediate security problem for its users.
“Since our priority is the security and privacy of our users, we are carefully considering what additional actions may be necessary,” Google warned.
The ANSSI says that the whole infrastructure management trust administration (IGC/A) process is under review to ensure that “no incident of this kind will ever happen again.”
It is well known the SSL certificate system that establishes trust online is seriously flawed. In an attempt to better the situation, Google initiated the Certificate Transparency project, which is aimed to eliminate these flaws by providing an open framework for monitoring and auditing SSL certificates. Google called this incident a serious breach and says it underscores the need for better certificate transparency.
As 2013 comes to a close, security experts are looking back at the major stories and developments of the year, including the Edward Snowden NSA leaks and major malware attacks. In this video, Vitaly Kamluk of Kaspersky Lab examines the biggest security news of 2013 and talks about the lasting effects they may have.
If you’re still wondering when the future will get here, stop looking to the skies for flying cars and look down at your iPhone the next time you walk into an Apple store. The company has just kicked off a new in-store tracking initiative that uses Bluetooth to push offers and notifications to customers as they wander through the aisles looking at Beats headphones and One Direction phone cases.
Known as iBeacon, the system uses Bluetooth Low Energy (BLE) to push notifications to users in the store who are carrying iOS 7 devices with the Apple Store app installed. Users must allow the app to track them in order to receive the notifications, but once that option is enabled, a user might find herself receiving offers for a short-term discount on a particular product or an upgrade to a new iPhone.
The technology behind iBeacon is somewhat similar to near-field communications (NFC) in that it transmits information over short distances, but it has some significant differences, as well. The iBeacon system relies on a network of wireless transmitters installed in various environments–such as Apple stores or malls or ballparks–that can send customized offers and other information to devices that have specific apps installed. So, for example, a user who walks into Yankee Stadium with the MLB app installed–which is iBeacon-enabled–could get an interactive guide to the stadium or information on food and drink specials at various concession stands.
This is the kind of location- and context-aware advertising and tracking that privacy advocates have been concerned about for many years now. The current generation of smart phones all come with the GPS technology built in that enables some kinds of tracking, but the iBeacon system is a separate animal. It can be used for many different functions and users need to allow their apps to track them in order for the kind of use cases like the Apple Store experience to work.
The iBeacon system and others like it could be expanded for use in a number of other environments, as well, such as public transportation systems, public buildings or other areas.
Microsoft’s crusade against botnets raged on yesterday as the Redmond, Wash., computer giant and a coalition of law enforcement agencies and Internet security companies disrupted the notorious ZeroAccess botnet.
ZeroAccess, or Sirefef as Microsoft likes to call it, is a malware platform that targets all major browsers and search engines. It’s two primary functions are to hijack search results, redirecting users to malicious websites hosting information stealing and other malware, and to commit click-fraud. In the past, ZeroAccess has demonstrated a proclivity for Bitcoin mining as well.
Microsoft teamed up with Europol’s European Cybercrime Centre (EC3), the FBI, and the application networking and security firm A10 Networks to take down ZeroAccess, which has reportedly infected some two million machines and costs online advertising firms nearly $3 million per month.
Back in the good old days (2010), a botnet take down was as simple as sink-holing the operation’s command and control server and ceasing its operations. At least in part because of this, many contemporary botnet handlers have moved to a peer-to-peer botnet architecture. This distributed botnet design means that the cybercriminals operating ZeroAccess could remotely control the botnet from tens of thousands of different infected machines. Thus, shutting ZeroAccess down required a cocktail of legal and technical measures.
Microsoft filed a lawsuit against the botnet’s operators, and a Texas district court granted the tech giant permission to block incoming and outgoing traffic to 18 IP addresses found to be involved in the scam. Microsoft was also able to wrest control of 49 domains associated with ZeroAccess.
“The coordinated action taken by our partners was instrumental in the disruption of ZeroAccess; these efforts will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection,” said David Finn, executive director and associate general counsel of the Microsoft Digital Crimes Unit.
Meanwhile outside the U.S., Europol shut down 18 malicious IP addresses and worked in conjunction with Latvia, Luxembourg, Switzerland, the Netherlands and Germany to execute search warrants and seizures of computer servers associated with the fraudulent IP addresses.
“This operation marks an important step in coordinated actions that are initiated by private companies and, at the same time, enable law enforcement agencies around Europe to identify and investigate the criminal organizations and networks behind these dangerous botnets that use malicious software to gain illicit profits,” said Troels Oerting, head of the EC3.
Microsoft and its partners realistically note that their actions against ZeroAccess are unlikely to shut the botnet down altogether. However, the legal and technological measures taken, they believe, will significantly disrupt ZeroAccess, prevent victim machines from contributing to its illicit behavior, and likely cause the botnet’s operators to rebuild.
“If the hacker community has not yet taken notice, today’s disruption of the ZeroAccess botnet is another example of the power of public-private partnerships,” FBI Executive Assistant Director Richard McFeely said. “It demonstrates our commitment to expand coordination with companies like Microsoft and our foreign law enforcement partners — in this case, Europol — to shut down malicious cyberattacks and hold cybercriminals accountable for exploiting our citizens’ and businesses’ computers.”
Siemens has patched a serious remotely exploitable vulnerability in its SINAMICS S/G ICS software that could enable an attacker to take arbitrary actions on a vulnerable installation without having to authenticate.
The vulnerability affects all versions of the Siemens SINAMICS S/G products with firmware versions earlier than 4.6.11. ICS-CERT, a pat of the Department of Homeland Security, said in an advisory that it is not aware of any public exploit attempts against this flaw, but that’s no reason to delay patching. An authentication bypass vulnerability for a product such as SINAMICS S/G, which is used to control the operations of drives in industrial facilities, could be a very useful tool for an attacker.
“Siemens has identified an authentication bypass vulnerability in the SINAMICS S/G product family. Siemens has produced a firmware update that mitigates this vulnerability and has tested the update to validate that it resolves the vulnerability. Exploitation of this vulnerability could allow an attacker to access administrative functions on the device without authentication,” the ICS-CERT advisory says.
“The affected product, SINAMICS S/G family, is used to control a variety of drives, especially in mechanical engineering and plant construction. In addition, SINAMICS S/G family interacts with motion controllers that are used to coordinate synchronous operations or complex technology functions.”
The vulnerability is considered quite easy to exploit, and Siemens said that organizations that are running vulnerable versions of the software should install the updated firmware, versions 4.6.11 and 4.7. The company also recommends that customers not provide public access to the SINAMICS interface over the network.
“As a general security measure Siemens strongly recommends to protect network access to the interface of SINAMICS S/G with appropriate mechanisms. It is advised to follow recommended security practices and to configure the environment according to operational guidelines in order to run the devices in a protected IT environment,” the Siemens advisory says.
Image from Flickr photos of Surber.
Microsoft will, next week, patch a zero-day vulnerability in its GDI+ graphics component being exploited in targeted attacks in the Middle East and Asia.
The zero day has sat unpatched since it was made public Nov. 5; Microsoft did release a FixIt tool as a temporary mitigation. The patch is one of 11 bulletins Microsoft said today it will release as part of its December 2013 Patch Tuesday security updates; five of the bulletins will be rated critical.
Microsoft did confirm, however, that a zero day in the NDProxy driver that manages the Microsoft Telephony API on Windows XP systems will not be patched. That zero day is also being exploited in the wild alongside a PDF exploit of a patched Adobe Reader flaw.
The GDI+ vulnerability is found in several versions of Windows and Office and enables an attacker to gain remote-code execution, but only on Windows Vista, Windows Server 2008, and Office 2003 through 2010. The vulnerability exists in the way the GDI+ component handles TIFF images. Microsoft said an attacker would have to entice a victim to preview or open a malicious TIFF attachment or visit a website hosting the exploit image.
Tuesday’s critical patches address remote code execution vulnerabilities in a number of Microsoft products, including not only Windows and Office, but Lync, Internet Explorer and Exchange. Vulnerabilities in SharePoint, Lync, SingnalR and ASP.NET are among those rated important by Microsoft. Those vulnerabilities are primarily privilege escalation issues as well as an information disclosure bug.
This will be the last scheduled release of security updates from Microsoft for the year. It looks like Tuesday’s updates will bring the 2013 count to 106 bulletins, up sharply from 83 last year, according to Qualys CTO Wolfgang Kandek. Microsoft had similar numbers of bulletins in 2011 (100) and 2010 (106).
“Regarding 0-days, Microsoft has consistently pointed out that the additional security toolkit EMET (Enhanced Mitigation Experience Toolkit) has been effective against all of the 0-day problems this year,” Kandek said. “We believe it is a proactive security measure that organizations should evaluate and consider as an additional layer in their defensive measures.”
The XP zero-day, meanwhile, will likely be left for the January 2014 Patch Tuesday updates. The vulnerability is a privilege escalation vulnerability and allows kernel access.
FireEye researchers said they found the exploit in the wild being used alongside a PDF-based exploit against a patched Adobe Reader vulnerability. Reader versions 9.5.4, 10.1.6, 11.0.02 and earlier on XP SP3 are affected, later versions are not, FireEye said, adding that this exploit gives a local user the ability to execute code in the kernel, such as install new software, manipulate data, or create new accounts. The exploit cannot be used remotely, the company said.
Microsoft recommended deleting the NDProxy.sys driver as a workaround; the mitigation, however, will impact TAPI operations.
“System administrators everywhere must have made Microsoft’s naughty list because this holiday ‘gift’ is clearly a lump of coal,” said Tyler Reguly, technical manager of security research and development at Tripwire. “Microsoft is wrapping up the 2013 patch season with anything that was laying around. Someone should tell Microsoft they forgot to include the kitchen sink.”
The pesky Dexter point-of-sale malware, discovered more than a year ago, remains active primarily in Russia, the Middle East and Southeast Asia, while its cousin Project Hook is finding similar success in the United States, prompting experts to sound an alarm as holiday commerce ramps up.
Researchers at Arbor Networks last month found two servers hosting the Windows-based malware, heralding newly active campaigns.
Dexter and Project Hook differ from more traditional point-of-sale attacks which rely on skimmers physically installed on endpoints, or phishing emails luring users on Windows machines hosting the PoS software. Instead, the malware is injected into files hosted on Windows servers before scraping credit card numbers as they’re entered via the PoS system.
Arbor Networks senior research analyst Curt Wilson said the two new Dexter servers were found in November; law enforcement as well as the Financial Services Information Sharing and Analysis Center (FS-ISAC) were informed. Wilson said during a two-week period when Arbor researchers were monitoring activity on the servers, they saw 533 infected endpoints call back to the command and control infrastructure.
“The way the attackers had the server set up, we saw credit card data posted to the site,” Wilson said. “The attackers were clearing the log files periodically, so there’s no telling how long these campaigns have been ongoing.”
Arbor identified three versions of Dexter: Stardust, which is likely the original version; Millenium; and Revelation. Revelation is likely the latest version and it is capable of moving stolen data not only over HTTP as previous versions, but also over FTP, a first for POS malware, Wilson said. Wilson added that Arbor researchers have not been able to determine how the initial infections are happening. The two command servers, he said, are no longer online.
Dexter was discovered more than a year ago and reported by researchers at Seculert, who reported at the time that campaigns were claiming victims at big retail operations, hotels and restaurants. At the time there were victims in 40 countries, most of those in the U.S. and the United Kingdom.
“Dexter is stealing the process list from the infected machine, while parsing memory dumps of specific POS software related processes, looking for Track 1 / Track 2 credit card data,” Seculert CTO Aviv Raff wrote in a blogpost last December. “This data will most likely be used by cybercriminals to clone credit cards that were used in the targeted POS system.”
Point-of-sale systems present hackers with a target-rich environment. The systems are often reachable online and are usually guarded with default or weak passwords that are child’s play for a brute force or dictionary attack. The last two Verizon Data Breach Investigations Reports have identified small retailers and hospitality providers as the primary victims in such opportunistic attacks because of limited security resources.
Wilson said some of the victimized machines were not dedicated PoS servers; one in particular was also hosting a physical security management system that ran access control and card reader software.
“The data being exfiltrated that we’ve seen suggests that the compromised machines are doubling up functions and running point of sale on a machine doing something else. PoS machines should be dedicated, locked down and have special policies applied to it,” Wilson said. “That’s a bad practice to pile so much on one system. An attacker with access to credit card data would also have access to anything else the management system has access too.”
Wilson said that the initial infections could be happening either via phishing emails luring victims to sites hosting Dexter or Project Hook, or the attackers are taking advantage of default credentials to access these systems remotely.
“With the holidays, there’s going to be more PoS activity and a higher volume of transactions. Now would be a good time to fortify security,” Wilson said. “The basics should cover this. There are IDS signatures written for this malware, and there are indicators of compromise floating around; basic antimalware should catch the process-injection techniques used here.”
Meanwhile, Ars Technica reported today the discovery of the first botnet targeting point-of-sale systems. A Los Angeles security company called IntelCrawler found the botnet which had infected close to 150 Subway sandwich shops stealing 146,000 credit card numbers.
An attack on the computer networks of banking giant JP Morgan Chase & Co. may have exposed sensitive information belonging to 465,000 prepaid cash-card holders, according to a Reuters report.
JP Morgan said the attack targeted Web servers handling its Ucard program in mid-September and that the company has since remedied the underlying flaws that led to the breach and contacted law enforcement. The bank admitted to Reuters that attackers pilfered “a small amount” of data, but that they believe no user Social Security numbers, dates of birth, or email addresses were taken.
Troublingly, the Reuters report indicates that the information potentially exposed was not encrypted at the time of the attack, though JP Morgan claims it generally does encrypt its customers’ personal information.
Company spokesperson Michael Fusco told Reuters that JP Morgan spent the months following the attack determining which customers may have been affected and which data may have been compromised. The company is contacting those customers. He reportedly declined to disclose any technical details of the attack.
The breach reportedly affected some two percent of JP Morgan’s 25 million UCard holders, according to Fusco. Corporations apparently buy UCards from JP Morgan and issue them as payments to their employees while government agencies use them to issue tax refunds and to pay unemployment and other benefits.
As is standard operating procedure at this point, the bank is offering three years of credit monitoring services to those affected.
In response to the growing set of revelations about the NSA’s surveillance methods and alleged compromise of some large technology vendors’ services, Microsoft is taking a number of steps to try and reassure customers about the integrity of the company’s offerings and to greatly expand the use of encryption across its services.
Microsoft said that in the next few months it will be improving and expanding its use of encryption, specifically in its cloud services such as Azure, Outlook.com and Office 365. The company recently announced that it would be improving the encryption services on Office 365, but this new initiative goes well beyond that effort. Microsoft will be implementing Perfect Forward Secrecy on its cloud service and also will be moving to 2048-bit keys. This applies to data in transit between customers and Microsoft’s servers, but it also will be applied to information moving among the company’s data centers.
Microsoft said that these new security measures will be in place by the end of 2014, and some of them are in effect right now. The company also will be encrypting customer data at rest in its data centers.
“Although this is a significant engineering effort given the large number of services we offer and the hundreds of millions of customers we serve, we’re committed to moving quickly. In fact, many of our services already benefit from strong encryption in all or part of the lifecycle. For example, Office 365 and Outlook.com customer content is already encrypted when traveling between customers and Microsoft, and most Office 365 workloads as well as Windows Azure storage are now encrypted in transit between our data centers. In other areas we’re accelerating plans to provide encryption,” Brad Smith, general counsel and executive vice president for legal and corporate affairs at Microsoft said.
Microsoft officials, like their counterparts at Google, Yahoo, Apple and other tech giants, have spent much of the last six months dealing with a number of allegations in media reports of the Edward Snowden NSA leaks. The most damaging reports have alleged that these companies have provided direct access to their servers for the NSA, something all of them have denied. Recent revelations have shown that the agency is actually tapping into undersea fiber cables that move generally unencrypted data between data centers around the world. This revelation has angered engineers at Google and led the company to accelerate some of its existing plans to encrypt those data links.
While Microsoft’s moves to encrypt more customer data will provide better protection for customers, there is more that the company could be doing to give basic security to its millions of users, said Chris Soghoian, principal technologist at the American Civil Liberties Union. Soghoian has been urging Microsoft and other companies to turn on SSL by default on their Web properties for years and said that there a number of outstanding issues Microsoft needs to resolve to make these moves more significant.
“Bing still doesn’t offer SSL as an option. So will they finally change that? One of the things they said in this announcement is that they’ll be using best-in-class encryption, but that means more than just an algorithm. It means things like HSTS [HTTP Strict Transport Security] and certificate pinning,” he said. “Is Microsoft going to use certificate pinning in Internet Explorer?”
Certificate pinning allows browsers to define which certificate is associated with a specific Web property, as a defense against man-in-the-middle attacks that employ spoofed certificates. HSTS is a header that tells users’ clients that a given Web server only wants to accept secure connections.
In addition to the encryption changes, Microsoft also said it will be reinforcing the legal authorities that it uses to protect customer data that the company stores. The company notifies corporate and government customers when it receives a request for a customer’s data, and Smith said Microsoft will continue to do this in the future.
“Except in the most limited circumstances, we believe that government agencies can go directly to business customers or government customers for information or data about one of their employees – just as they did before these customers moved to the cloud – without undermining their investigation or national security. And when those limited circumstances arise, courts should have the opportunity to review the question and issue a decision,” Smith said.
But, Soghoian questioned why these same protections aren’t being extended to individual consumers whose data the government may seek.
“What about their regular customers? Forcing a gag order forces the government to go before a judge on something that they wouldn’t have to otherwise,” he said. “It’s really helpful to force the issue before an independent third party.”
Smith said Microsoft also plans to open so-called transparency centers in several locations around the world to enable government customers to inspect Microsoft’s source code for backdoors. The company has been allowing limited access to its source code for several years now, but will be expanding that in the near future.
“We’re therefore taking additional steps to increase transparency by building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors. We will open a network of transparency centers that will provide these customers with even greater ability to assure themselves of the integrity of Microsoft’s products,” Smith said.
UPDATE – A weakness has been discovered in the reflective cross-site scripting filter present in Internet Explorer since IE 8 that could enable an attacker to trick the browser into executing malicious code as trusted. The problem going forward is twofold: everything occurring in the bypass method is accepted as part of the official HTML standard going back at least 15 years; and Microsoft said it will not work on a fix for the flaw.
Carlos Munoz, a researcher with WhiteHat Security who publicized the issue today, told Threatpost that he reported the problem to the Microsoft Security Response Center on Aug. 26 and after several back-and-forth emails was informed that Microsoft would not move forward citing its design philosophy for the XSS filter.
A Microsoft spokesperson told Threatpost that the filter was designed with the goal of raising the cost of an attack.
“As such, and after thorough investigation, this is not a product vulnerability,” the spokesperson said. “The scenario in question would require a cross-site scripting vulnerability to be present in a website and would also require a user to interact with such a site. We continue to recommend that customers exercise caution when accepting links from untrusted sources.”
In its email exchanges with Munoz, Microsoft pointed the researcher to a bullet point in its design philosophy that states: “For attacks that depend on application-specific transformations, we will only attempt to make the XSS Filter effective where these transformations are identified to be pervasive. We choose not to ROT13 decode URLs. ”
Munoz said that if Microsoft did choose to fix the problem, it may have to add functionality to the filter that recognizes encoded reflections, decodes them, and then compares those decodings to known potentially malicious signatures.
“Another path that Microsoft could take is tracking injections across several requests and attempting to determine if an injection on page 1 of a website eventually reflects as a malicious script on page 4,” Munoz said. “There are probably several other avenues that Microsoft could pursue in working on a fix for this flaw.”
Microsoft introduced the reflective cross-site scripting filter in Internet Explorer 8 and it’s been supported in every version of the browser through the current version 11 released two months ago with Windows 8.1. The filter prevents browsers from executing non-stored data submitted in an HTML form or in an HTTP query without sanitizing it first.
“Currently this method of bypassing Internet Explorer’s anti-XSS filter only works when an attacker can inject into or create their own attribute space of an HTML element, and that attribute is then passed onto a page within the same domain that contains a XSS vulnerability,” Munoz said. “As this would imply, this is not an ‘everything is vulnerable’ type of finding. It is, however, something that could be exploited on almost any page where an attacker can inject HTML elements, albeit with the requirement that the victim would need to click a link on the page.”
Munoz wrote in a blog post today that the filter compares only untrusted requests with the response body from a website for reflections that could cause code execution.
Munoz points out that the filter is effective at stopping cross-site scripting attacks, but an attacker could fool it by taking advantage of a loophole in the HTML standard with regard to decimal and hexadecimal encodings.
“Everything utilized in this methodology is part of the official HTML standard—it uses the web the way the web was meant to be used,” Munoz said. When a response is made to an HTTP request that includes a properly coded decimal or hexadecimal character, Munoz said, the browser will display the encoded character.
“As an added bonus for an attacker, when a decimal or hexadecimal encoded character is returned in an attribute that is then included in a subsequent request, it is the decoded character that is sent, not the decimal or hexadecimal encoding of that character,” Munoz wrote. “Thus, all an attacker needs to do is fool Internet Explorer’s anti-XSS filter by inducing some of the desired characters to be reflected as their decimal or hexadecimal encodings in an attribute.”
Munoz said such an attack can be carried out with a malicious iframe, malicious code in a form submission or an embedded link to a site hosting an exploit. He added that he is not aware of any in-the-wild exploits. An attacker could craft something similar to a common reflective XSS attack to bypass the filter, but would have to entice the user via a phishing email to land on a site hosting an exploit.
This article was updated Dec. 5 with a comment from a Microsoft spokesperson.
In an attempt to curb the rampancy of fraud throughout the holiday shopping season, a coalition of international law enforcement agencies seized 706 Internet domains allegedly involved in the sale of counterfeit merchandise.
The United States Homeland Security Investigations’ (HSI) National Intellectual Property Rights (IPR) Coordination Center spearheaded the operation along with Immigration and Customs Enforcement and ten law enforcement agencies from other countries and the European Union as well.
The campaign – dubbed Project Cyber Monday IV – is in its fourth year and is part of the ICE’s ongoing Operation in our Sites.
Among the domains seized, 297 were based in the U.S. and taken down by HSI, 393 were located inside the EU and taken down by Europol, and Hong Kong law enforcement took down 16 domains under its jurisdiction.
In a press release announcing the seizures on the ICE’s website, the agency claims that the last few weeks of the calendar year see online and physical marketplaces flooded with counterfeit goods. The negative impact of this, they claim, is two-fold: scammers are duping buyers with shoddy goods and consumers are putting their financial information at risk by purchasing from counterfeiters.
“Working with our international partners on operations like this shows the true global impact of IP crime,” said ICE Acting Director John Sandweg. “Counterfeiters take advantage of the holiday season and sell cheap fakes to unsuspecting consumers everywhere. Consumers need to protect themselves, their families, and their personal financial information from the criminal networks operating these bogus sites.”
The ICE didn’t mention it but, of course, counterfeit goods affect the bottom lines of businesses as well. In fact, the IRP center notes that the majority of the info they received leading to take downs came from the trademark holders that were being infringed upon.
The IPR center claims that the most commonly counterfeited goods are headphones, sports jerseys, personal care products, shoes, toys, luxury goods, cell phones, and electronic accessories. Law enforcement officials would buy these items undercover and verify that they were in fact counterfeits with the legitimate trademark and copyright holders before moving on domain seizures.
“This operation is another good example of how transatlantic law enforcement cooperation works. It sends a signal to criminals that they should not feel safe anywhere,” said Rob Wainwright, director of Europol. “Unfortunately the economic downturn has meant that disposable income has gone down, which may tempt more people to buy products for prices that are too good to be true. Consumers should realize that, by buying these products, they risk supporting organized crime.”
All of the domain names seized are under the control of the governments involved in the operation. Visitors to those sites will see a banner informing them of why the site has been taken offline and warning them that willful copyright infringement is a violation of federal law.
Virtualization software company VMware pushed out patches for some builds of its Workstation, Fusion, ESXi and ESX products this week, fixing a vulnerability that could have led to a privilege escalation in older Windows operating systems running in a virtual environment.
The main problem is the way that Workstation, ESX and Fusion handle control code in the LGTOSYNC.sys driver. If an attacker leveraged a vulnerability in that driver they could manipulate memory allocation and put users running the software on 32-bit systems running Windows 2000 Server, Windows XP or Windows 2003 at risk. ESXi is tangentially vulnerable if deployed on Windows 2000 Server, Windows XP or Windows 2003 Server.
“The vulnerability does not allow for privilege escalation from the Guest Operating System to the host,” VMware specified in an advisory yesterday, “This means that host memory can not be manipulated from the Guest Operating System.”
The security advisory adds that versions of Workstation from 9.x prior to 9.0.3, Player from 5.x prior to 5.0.3, Fusion from 5.x to 5.0.4, ESXi 4.0, 4.1, 5.0, 5.1 and ESX 4.0 and 4.1 are all affected.
All of the vulnerable products are more or less part of the company’s VMware infrastructure suite. VMware Fusion is technically referred to as a software hypervisor, allowing Intel-based Macs to run Windows, Linux and other operating systems alongside OS X while Workstation has the same functionality as Fusion, it’s just specialized for x64 computers running Windows, Linux or BSD.
It’s the second privilege escalation vulnerability patched by VMware in the past three weeks. The company also fixed a similar issue in Workstation, in particular the version that runs Linux, back in November.
VMware posted patches for all of the products implicated yesterday on the support section of its site and per usual, sent security notifications via email and in a post on Full Disclosure‘s lists.
Although there are still a number of issues that need to be addressed with the Department of Homeland Security’s information security efforts, the department is improving in many areas and making strong progress toward implementing better security controls, a new report from the Inspector General found.
DHS, which is responsible for a large portion of the security programs in the federal government, has been criticized sharply in the past for not meeting minimum standards on various basic security controls. The IG, as well as members of Congress, have taken the department to task for falling behind on requirements such as patching, implementing strong authentication and exerting better control of external systems. The latest report from the Office of the Inspector General shows that the department is moving in the right direction on many things, but still has plenty of room for improvement.
The report shows that some portions of DHS are running systems with authority to operate, haven’t consolidated all of their Internet connections into one trusted Internet connection and don’t have a formal process for tracking external systems.
“We identified a number of issues that DHS needs to address to strengthen its security posture. For example, we determined that components are not satisfying all of the Department’s information security policies, procedures, and practices. Specifically, we identified deficiencies in component POA&M [plan of action and milestones] management, system security authorization, and the consolidation of external network connections. In addition, components have not implemented all system configurations in accordance with DHS policies and procedures,” the new report says.
One major problem that the IG found in the DHS program, which has been ongoing for at least year, is the department’s lack of management program for tracking security vulnerabilities in its classified systems. The department uses a project management system to track progress on most such initiatives, but the IG found this wasn’t the case for vulnerabilities in classified systems.
“DHS does not monitor the adequacy of the POA&Ms for its ‘Top Secret’ systems. For example, DHS has yet to perform any reviews or oversight functions on ‘Top Secret’ POA&Ms that are manually tracked outside of the Department’s enterprise management tools. As a result, DHS cannot ensure that POA&Ms have been created to mitigate the security vulnerabilities identified on its ‘Top Secret’ systems and ensure they are managed in accordance with DHS’ policies and procedures,” the report says.
A second issue is that DHS doesn’t have baseline configurations enforced on its systems, both on the desktop and servers. The IG report found inconsistent implementation of the configurations and recommended that the department’s CIO ensure that this state of affairs changes. DHS management, commenting on the IG’s recommendations, said that it plans to have this problem addressed by the end of the year.
“During FY 2013, DHS completed major steps toward achieving this goal. There are 11 out of 12 Components now using the approved baseline configuration settings. The rigor of configuration management will be increased in FY 2014 by expanding relevant scorecard metrics to include devices beyond Windows platforms,” the comment said.
Overall, the IG report said that DHS is moving forward with its security programs and making strides toward hardening the department’s internal and external systems.
“DHS continues to improve and strengthen its information security program. During the past year, DHS drafted an ongoing authorization methodology to help improve the security of the Department’s information systems through a new risk management approach. This revised approach transitions the Department from a static, paperwork-driven, security authorization process to a dynamic framework that can provide security-related information on demand to make risk-based decisions based on frequent updates to security plans, security assessment reports, and hardware and software inventories,” the report says.