Feed aggregator

Metadata Program ‘Not Uniquely Valuable Enough’ to Justify Privacy Intrusions

Threatpost for B2B - Tue, 01/14/2014 - 17:47

In a mostly friendly and non-confrontational hearing on Tuesday, members of the Senate Judiciary Committee spent a couple of hours talking to members of the White House-appointed NSA review board about the extent of the agency’s surveillance and the panel’s recommendations for reform. The hearing covered almost no new ground, with committee members spending much of the time asking questions about intelligence collection and sharing pre-9/11 and whether the metadata program could have helped prevent those attacks or has prevented any since then.

The hearing, which was included only a handful of committee members most of the time, was ostensibly about the report produced by the White House panel in December and the 46 recommendations in it regarding intelligence collection programs and potential abuses by the NSA. The panel recommended a number of changes to the controversial Section 215 and 702 collection programs, and the committee members asked a litany of questions about those, specifically about the metadata program, which has drawn shard criticism from lawmakers and privacy advocates.

Committee Chairman Sen. Patrick Leahy (D-Vt.) said that he did not believe the Section 215 program produced enough results to justify its existence.

“I’ve concluded that the phone record program is not uniquely valuable enough to justify a massive intrusion on Americans’ privacy,” he said.

Michael J. Morell, the former acting director of the CIA and a member of the President’s Review Group on Intelligence and Communications Technologies, said that the panel did not believe it was necessary to eliminate the metadata program, but had no evidence that it had prevented any terror attacks, either.

“We did not recommend the end of the 215 program,” he said. “It is absolutely true that the 215 program hasn’t played a significant role in disrupting any attacks to this point. But it only has to be successful once to be important.”

NSA officials and some lawmakers have defended the metadata program on the grounds that it does not collect the content of calls, but rather the information about the originating and terminating numbers and the length of the call. However, Morell said that during the research for the report the panel wrote, he came to the conclusion that metadata can tell observers a lot about a target’s activities.

“There is quite a bit of content in metadata and when you have the records of the phone calls an individual made, you can learn quite a bit about an individual,” he said.

The committee also spent some time addressing the issue of whether the metadata program would have prevented the attacks of 9/11, something that NSA officials have asserted in recent months. Asked whether that was the case, Richard Clarke, the former White House security adviser, said that it was impossible to know.

“It’s impossible to go back and reconstruct history,” Clarke said. “It’s very difficult to say with accuracy if one fact had been changed whether the outcome would’ve been significantly different.”

Adobe Updates Security for Flash, Reader, Acrobat

Threatpost for B2B - Tue, 01/14/2014 - 15:50

Adobe has issued security bulletins addressing five critical vulnerabilities in its Flash, Reader and Acrobat Players that could give attackers the ability to cause crashes and wrest control of affected machines.

Adobe claims it is not aware of any in-the-wild exploits targeting these bugs.

CVE-2014-0491 and CVE-2014-0492, reported by Masato Kinugawa and the Zero Day Initiative respectively, resolve problems in Adobe Flash and AIR. Users will need to update Flash Player 11.9.900.170 and earlier versions for Windows and Mac and 11.2.202.332 and earlier versions for Linux. Users of Adobe AIR, including versions 3.9.0.1380 and earlier for Windows, Mac, Android, SDK, and compiler, will need to update those systems as well.

All the Flash bugs received Adobe’s highest priority rating while the AIR bugs received its lowest.

Gynvael Coldwind and Mateusz Jurczyk of Google’s security team discovered CVE-2014-0493 and CVE-2014-0495, while a researcher named Saroush Dalili reported CVE-2014-0496 to Adobe. All of these bugs affect either Adobe Acrobat or Reader and received Adobe’s highest priority rating.

Affected versions include, Adobe Reader XI (11.0.05) and earlier 11.x versions for Windows and Mac, Reader X (10.1.8) and earlier 10.x versions for Windows and Mac, Acrobat XI (11.0.05) and earlier 11.x versions for Windows and Mac, and Acrobat X (10.1.8) and earlier 10.x versions for Windows and Mac.

You can find the full Flash bulletin here and the full Acrobat and Reader bulletins here.

Microsoft Patch Tuesday Security Updates Address Windows XP Zero Day

Threatpost for B2B - Tue, 01/14/2014 - 15:32

Microsoft is entering softly into 2014 with a minimalist version of Patch Tuesday, which is likely to be a welcome reprieve. Windows shops can expect a busy re-tooling year ahead as Microsoft not only ends support—including security updates—for Windows XP, but also will restrict the use of MD5 in digital certificates and bring changes to Windows Authenticode verification that could render some programs untrusted if they don’t pass muster.

All of today’s bulletins were rated “Important” by Microsoft, but experts urge prioritization of MS14-002 which is a patch for a zero-day vulnerability in Windows XP and Windows Server 2003. The vulnerability was publicly disclosed in November and is being exploited in conjunction with an Adobe Reader vulnerability. That flaw was patched by Adobe in May.

Today’s patch repairs a privilege escalation bug in the ND Proxy Driver that manages Microsoft’s Telephony API. Microsoft had released a mitigation that would have rendered the API unusable.

The vulnerability was rated important because it could not be exploited remotely. An attacker would need to log in to a system with valid credentials and run a malicious application in order to exploit the vulnerability locally.

“This was typically exploited by an attacker sending your user a spear phishing email with a bad Adobe link. Once clicked, that attacker could then gain administrator access to the machine,” said Russ Ernst of Lumension. “Keeping your Adobe applications fully patched will mitigate this vulnerability, but it’s important to apply MS14-002 as a defense in depth.”

Microsoft also patched a remote code execution bug in Microsoft Word and Office Web applications that merits attention, experts said. MS14-001 patches three vulnerabilities that could allow an attacker to remotely run code on a compromised machine; the hacker would have to entice the victim to open an infected attachment. The update patches Microsoft Word 2003, 2007, 2010, 2013, and 2013RT, and Office services and Web apps supported on SharePoint Server 2010, 2013 and Microsoft Web Apps Server 2013.

“On their own these vulnerabilities might not be critical, but combined they can be much more serious,” said Ben Hayak, a researcher with Trustwave’s SpiderLabs. “If an attacker used a malicious Office document to execute code that takes advantage of the privilege elevation vulnerability, then a phishing email to an unsuspecting user would be all that’s necessary.”

Microsoft also addressed another privilege escalation bug in Windows with MS14-003. This bulletin patches one vulnerability in Widows Kernel-Mode Drivers that can be exploited only with local access and valid credentials. Windows 7 and Windows Server 2008 R2 are affected by this vulnerability, Microsoft said.

“The vulnerability occurs when the driver improperly uses window handle thread-owned objects,” said Marc Maiffret, CTO of BeyondTrust. “Attackers can exploit this vulnerability to gain the ability to execute arbitrary code in the context of the kernel. This is very similar to the vulnerability fixed by MS14-002, which also provides attackers kernel level privileges if properly exploited.”

The final bulletin, MS14-004, patches a denial-of-service flaw in Microsoft Dynamics AX. An attacker could exploit the vulnerability by sending malicious data to an AX Application Object Server instance, causing it to stop responding to client requests, Microsoft said.

“This is a server side vulnerability and note that the updated service will not automatically restart, so if you are applicable, it would be best practice to manually restart the impacted service after applying the update,” Lumension’s Ernst said.

Microsoft also re-released MS13-081, addressing a stability issue that caused the original update to fail or partially install on some systems with third-party USB drivers, Microsoft said.

Google Blocks Malicious File Downloads Automatically in Chrome

Threatpost for B2B - Tue, 01/14/2014 - 15:27

Google has fixed five vulnerabilities in its Chrome browser and also has activated a feature that will block malicious file downloads automatically. The change is a major security upgrade for Chrome and will help prevent users from unwittingly downloading harmful files, an attack vector that attackers count on for the success of drive-by downloads and other attacks.

Attackers rely on their ability to install files on victims’ machines, either with the cooperation of the user or through an automatic download in the background. That’s the essence of many Web-based attacks today and the change in Chrome will give users an extra layer of protection, even if they happen to click on a malicious file or visit a site that’s serving malware.

Along with that change to Chrome’s security, Google also fixed five separate security flaws in the browser, including one that could have been used to force the browser to sync with an attacker’s Google account. Here’s the list of the vulnerabilities patched in Chrome 32:

In addition to those vulnerabilities, reported by external researchers, Google also fixed nearly 20 other flaws that were discovered during the company’s internal security efforts.

Blog: Adobe's first Patch Tuesday of 2014

Secure List feed for B2B - Tue, 01/14/2014 - 13:59
This month's Adobe Patch Tuesday release sees fixes for Flash Player, Acrobat and Reader. All vulnerabilities get the highest priority rating.

US-CERT Warns of NTP Amplification Attacks

Threatpost for B2B - Tue, 01/14/2014 - 13:45

US-CERT has issued an advisory that warns enterprises about distributed denial of service attacks flooding networks with massive amounts of UDP traffic using publicly available network time protocol (NTP) servers.

Known as NTP amplification attacks, hackers are exploiting something known as the monlist feature in NTP servers, also known as MON_GETLIST, which returns the IP address of the last 600 machines interacting with an NTP server. Monlists is a classic set-and-forget feature and is used generally to sync clocks between servers and computers. The protocol is vulnerable to hackers making forged REQ_MON_GETLIST requests enabling traffic amplification.

“This response is much bigger than the request sent making it ideal for an amplification attack,” said John Graham-Cumming of Cloudflare.

According to US-CERT, the MON_GETLIST command allows admins to query NTP servers for traffic counts. Attackers are sending this command to vulnerable NTP servers with the source address spoofed as the victim.

“Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim,” the US-CERT advisory says. “Additionally, because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks.”

To mitigate these attacks, US-CERT advises disabling the monlist or upgrade to NTP version 4.2.7, which also disables monlist.

NTP amplification attacks have been blamed for recent DDoS attacks against popular online games such as League of Legends, Battle.net and others. Ars Technica today reported that the gaming servers were hit with up to 100 Gbps of UDP traffic. Similar traffic amounts were used to take down American banks and financial institutions last year in allegedly politically motivated attacks.

“Unfortunately, the simple UDP-based NTP protocol is prone to amplification attacks because it will reply to a packet with a spoofed source IP address and because at least one of its built-in commands will send a long reply to a short request,” Graham-Cumming said. “That makes it ideal as a DDoS tool.”

Graham-Cumming added that an attacker who retrieves a list of open NTP servers, which can be located online using available Metasploit or Nmap modules that will find NTP servers that support monlist.

Graham-Cumming demonstrated an example of the type of amplification possible in such an attack. He used the MON_GETLIST command on a NTP server, sending a request packet 234 bytes long. He said the response was split across 10 packets and was 4,460 bytes long.

“That’s an amplification factor of 19x and because the response is sent in many packets an attack using this would consume a large amount of bandwidth and have a high packet rate,” Graham-Cumming said.

“This particular NTP server only had 55 addresses to tell me about. Each response packet contains 6 addresses (with one short packet at the end), so a busy server that responded with the maximum 600 addresses would send 100 packets for a total of over 48k in response to just 234 bytes. That’s an amplification factor of 206x!”

Rich Mogull on the Target Data Breach

Threatpost for B2B - Tue, 01/14/2014 - 13:44

Dennis Fisher talks with Rich Mogull of Securosis about the Target data breach, how the attack may have worked, why these breaches are still so common and what can be done to improve the situation.

 

http://threatpost.com/files/2014/01/digital_underground_141.mp3

Java Version of Icefog Espionage Campaign Hit 3 US Oil, Gas Companies

Threatpost for B2B - Tue, 01/14/2014 - 12:46

When the curtain was peeled back on the Icefog targeted espionage campaign in September, a new type of operator was unveiled, one that took the persistence out of advanced persistent threats (APT).

Researchers at Kaspersky Lab noted in uncovering Icefog that the attacks against the defense supply chain—including military contractors, ship builders, satellite operators, high tech companies and others in Japan and South Korea—were hit-and-run operations. Icefog was likely pulled off by a small group of attackers, one that used a mix of custom malware and attacks against known vulnerabilities in Windows and Mac OS X machines. The group knew its victim, knew what it needed from a campaign, and once that objective was achieved, the target was abandoned.

This goes against the grain of APT attacks where an organization is likely owned for a considerable amount of time as hackers pivot about internally under the cover of poor detection mechanisms or stolen credentials.

Icefog went dark after the September report, but researchers at Kaspersky Lab continued to dig into domains used in the attack that had been sinkholed by the security company, as well as looking at victim connections. This morning, additional details on the attack emerge that indicate the attackers also had a Java version of the campaign in their arsenal and used that to target three oil and gas companies in the United States.

The three companies were notified, and two have rid themselves of the infection, Kaspersky Lab said today. Individuals within these companies were likely duped by a phishing email that contained an Office exploit. Once inside, the attacks launched the Java-based attacks, dubbed Javafog, and also used a new command and control for backdoor communication. The Java attacks, Kaspersky Lab said, would be stealthier, and in another twist on this story, give the attackers a longer-term presence.

“The focus on the US targets associated with the only known Javafog C&C could indicate a US-specific operation run by the Icefog attackers; one that was planned to take longer than usual, such as, for instance, long term collection of intelligence on the target,” said the Kaspersky report. “This brings another dimension to the Icefog gang’s operations, which appear to be more diverse than initially thought.”

The latest pieces to the puzzle came together in October when Kaspersky Lab took over an Icefog domain called lingdona[.]com. The domain was originally hosted in Hong Kong and raised suspicions because it matched other known Icefog domains. Immediately, the domain began receiving connections every 10 seconds from a Java application, a new turn since other variants used IE User-Agent strings.

Unable to find a sample of the malware connecting to lingdona[.]com, the researchers were able to find a URL submitted to a public JSUNPACK service that was hosted on a known Icefog domain that referenced a Java applet called policyapplet.jar. The researchers decoded a long hexadecimal string parameter tagged to policyapplet reference and found another Java applet with a main class JavaTool.class that was compiled in 2010.

Once installed it, latches onto the computer’s registry for persistence at start up and then begins connecting to lingdona[.]com/news and sending system information. If the attackers determine this to be a target of value, they can then send back any number of commands ordering the malware encrypt and upload local files, migrate to a new command and control server URL, or execute a string specified and upload the results.

“It allows the attackers to control the infected system and download files from it,” the Kaspersky Lab report said. “Simple, yet very effective.”

This particular operation was small; eight IPs belonging to the three U.S. oil and gas companies connected to the lingdona domain. Researchers noted as well that two of the victims updated Java from Java 1.7 update 25 to update 45.

Blog: The Icefog APT Hits US Targets With Java Backdoor

Secure List feed for B2B - Tue, 01/14/2014 - 05:30
Previously unknown version of Icefog, named Javafog, founded in the US.

Syrian Electronic Army Takes Aim at Microsoft, Xbox Twitter Accounts, Blogs

Threatpost for B2B - Mon, 01/13/2014 - 15:30

Just a few days after it hacked Microsoft’s Skype blog and Twitter account, the Syrian Electronic Army (SEA) took to some of the company’s other social media accounts over the weekend, hacking both its @MSFTNews and @XboxSupport Twitter handles along with the company’s official blog.

It all started Saturday when the SEA’s primary Twitter account, @Official_SEA16, posted screenshots of Xbox’s Instagram and Twitter accounts,  hacking them to apparently promote a fake game “Syrian Arab Army: Fighting the Terrorists.”

From there the account posted screenshots of a compromised @MSFTNews account, Microsoft’s verified news Twitter handle. The account was hijacked to display re-tweets from the SEA account, a Syrian flag and a warning: “Don’t use Microsoft emails (hotmail, outlook), They are monitoring you accounts and selling the data to the governments. #SEA @Official_SEA16.”

The post reiterated the same anti-surveillance message – word for word – that the SEA broadcast over Skype’s Twitter account last week.

Meanwhile Microsoft’s official blog, hosted on Technet, the company’s blog network, was rigged to display a series of pro-Syrian sentiments (SEA Was Here… Long live Syria! etc.) before redirecting some users to the SEA’s website.

The same SEA Twitter account went on to tweet screenshots purportedly taken from conversations between Microsoft insiders – although it isn’t entirely clear if the SEA had direct access to Microsoft employee emails.

Microsoft dealt with the hacks swiftly on Saturday – compromised accounts remained offline for just a few hours – but the company insisted that no customer information was compromised by the hack.

“Microsoft is aware of targeted cyberattacks that temporarily affected the Xbox Support and Microsoft News Twitter accounts. The accounts were quickly reset and we can confirm that no customer information was compromised,” the statement read.

A SEA member that goes by the pseudonym “Syrian Eagle” told Mashable over the weekend the group has more documents and details it has yet to publish and warned the attack was “just the beginning.” Further comments made by “Syrian Eagle” went on to echo the group’s anti-surveillance stance.

The Microsoft hacks are the latest in a long line of attacks by the pro-Syrian group. Last year saw the group breach high profile media sites like the New York Times and the Washington Post but it appears the NSA surveillance revelations from the last few months and Microsoft’s alleged stance on them may have sparked a new wave of hacks.

Remotely Exploitable ‘Test Interface’ Found in Cisco Wireless Routers

Threatpost for B2B - Mon, 01/13/2014 - 12:27

There is a serious vulnerability in several Cisco wireless routers that could give an attacker root level access. The bug is the result of a backdoor in the routers that was set up as a test interface, and Cisco does not yet have patches available to fix it.

Cisco officials said the vulnerability is “an undocumented test interface” that exists in Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router and it could be used by a remote attacker to steal administrator credentials from a vulnerable router and then run arbitrary commands.

“This vulnerability can be triggered from the LAN interfaces of the Cisco WRVS4400N Wireless-N Gigabit Security Router and the Cisco RVS4000 4-port Gigabit Security Router from the wireless LAN (WLAN) and the LAN interfaces of the Cisco WAP4410N Wireless-N Access Point,” the Cisco advisory says.

“This vulnerability is due to an undocumented test interface in the TCP service listening on port 32764 of the affected device. An attacker could exploit this vulnerability by accessing the affected device from the LAN-side interface and issuing arbitrary commands in the underlying operating system. An exploit could allow the attacker to access user credentials for the administrator account of the device, and read the device configuration. The exploit can also allow the attacker to issue arbitrary commands on the device with escalated privileges.”

The routers that contain the vulnerability are all close to end of life, but Cisco still plans to issue patches for them. The company said that it will release fixed firmware versions by the end of January. The bug has the most serious CVSS score, a 10 for all of the vulnerable routers. The company said that there are no known workarounds for the vulnerabilities in any of the routers.

Twitter Security and Privacy Settings You Need to Know

Threatpost for B2B - Mon, 01/13/2014 - 11:15

To kick off the new year, we are restarting our tutorial screencast series where we attempt to briefly walk users through the process of locking down their various online accounts. Today’s video, which is just slightly longer than we had hoped, thoroughly details the steps necessary to ensure that your Twitter account is as private and secure as possible.

We apologize for the left-right confusion at 1:05. The gear icon is very clearly in the top right, not the top left. Also, there are two things we failed to mention.

  1. Be careful when opening shortened links in tweets and direct messages because it is hard to be certain about where they lead.
  2. If you are interested in privacy, then it is probably not a good idea to link your Twitter account with your Facebook account.

As always, drop any of your own suggestions in the comments section below.

Target Reveals New Data Breach Details: 110 Possibly Million Affected

Threatpost for B2B - Fri, 01/10/2014 - 17:01

UPDATE: The latest on Target’s Black Friday data breach plunged the incident to uglier depths.

The giant Minneapolis-based retailer today revealed new details culled from a forensic investigation that the attackers not only stole credit and debit card information, but also names, mailing addresses, phone numbers and email addresses impacting another 70 million individuals. Initially, Target reported losing only magnetic strip data on 40 million payment cards.

“Today we are sharing that, as the result of the data breach, it has been confirmed that the partial personal information for up to 70 million individuals was also stolen. These are two distinct groups and are not linked,” Target manager of public relations Molly Snyder told Threatpost over email this afternoon. “While there may some overlap between the two groups (the 40 million and the 70 million) but we don’t know to what extent at this time.”

Target said it will be contacting affected customers by email.

“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Gregg Steinhafel, chairman, president and chief executive officer, Target in a statement. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”

Target said it is offering individuals who shopped at its U.S. locations one year of free credit monitoring and identity theft protection.

Target’s most recent announcement also accompanied an update to its fourth quarter financial outlook; the company announced it will miss Wall Street projections significantly, perhaps by as much as $.40, and projects a sales decline of 2.5 percent. Target’s initial guidance was flat.

The announcement said fourth quarter sales were on an upward track prior to the breach announcement on Dec. 18; hackers reportedly had access to Target systems from Nov. 27, the day before Thanksgiving, to Dec. 15, the peak of the holiday shopping season. Post breach announcement, Target’s release today said sales were “meaningfully weaker than expected,” and it expects a sales decline of 2 percent to 6 percent for the remainder of Q4.

Target has provided a number of updates since the initial breach announcement, each one refuting a previous claim or informing customers that the scope of the breach had worsened.

Soon after the initial announcement which said only track data was stolen, Target amended that with an announcement that hackers had also made off with encrypted PIN data. Target assured customers the PINs were safe, but security experts cautioned that despite the use of 3DES encryption, there were still ways that determined, resourced hackers could decrypt the information and begin to clone ATM cards, for example.

Target said PIN data is encrypted at the point of sale terminal and decrypted only at its payment processor. The key, Target said, is not stored with the retailer and is never sent in transit with the PIN data. Experts told Threatpost that the PIN data is likely secure unless hackers get access to the key or the machine storing the key.

“Most people object to 3DES because it’s an ancient algorithm that was designed as a patch for (now broken) DES until AES was finalized,” said Matthew Green, a cryptographer and professor at Johns Hopkins University. “Now we’ve had AES for more than a decade, it’s questionable why we’d be using 3DES.”

The Payment Card Industry Data Security Standard (PCI-DSS), which governs how retailers secure payment card data and transactions, mandates unique keys for every payment terminal, limiting the scale of risk brought by the breach, experts said. That of course assumes Target is PCI compliant.

This article was updated at 3:30 p.m. ET with clarification and comment from Target.

Threatpost News Wrap, January 10, 2014

Threatpost for B2B - Fri, 01/10/2014 - 16:58

Dennis Fisher and Mike Mimoso discuss the news of the weird in the security industry since the holidays, including the latest revelations about the Target data breach and the decision by some speakers to boycott the RSA Conference because of the NSA revelations.

http://threatpost.com/files/2014/01/digital_underground_140.mp3

Oracle, Adobe Announce First Critical Patches of 2014

Threatpost for B2B - Fri, 01/10/2014 - 13:26

As expected, Oracle and Adobe will release critical patches alongside Microsoft on Tuesday to kick off the year’s inaugural Patch Tuesday batch of security updates.

Adobe is slated to release updates to fix critical vulnerabilities in its Reader and Acrobat products for Windows and Macintosh operating systems.

According to a pre-notification security bulletin posted yesterday on the company’s site, versions of Reader XI from 11.0.05 and earlier and Reader X from 10.1.8 and earlier are vulnerable along with versions of Acrobat XI 11.0.05 and earlier and Acrobat X 10.1.8 and earlier.

Oracle’s quarterly Critical Patch Update will bring a slew of fixes – 147 in total – to 47 of the company’s products, including Java SE.

Speaking of Java SE, this will be the second time Java updates will be been included in Oracle’s quarterly patch roundup. SE, along with SE Embedded, JavaFX and JRockit account for most of the fixes this quarter, 36 of the 147 listed. According to Oracle’s pre-release announcement 34 of those 36 could be remotely exploited without authentication.

Naturally we’ll have to wait until Tuesday to find out more information about the patches and exactly what vulnerabilities they’ll address.

Microsoft has already announced it will patch a Windows XP zero day flaw from late last year on Tuesday along with separate issues in Office and Dynamics AX.

Target Reveals New Data Breach Details: 110 Possibly Million Affected

Threatpost for B2B - Fri, 01/10/2014 - 12:49

UPDATE: The latest on Target’s Black Friday data breach plunged the incident to uglier depths.

The giant Minneapolis-based retailer today revealed new details culled from a forensic investigation that the attackers not only stole credit and debit card information, but also names, mailing addresses, phone numbers and email addresses impacting another 70 million individuals. Initially, Target reported losing only magnetic strip data on 40 million payment cards.

“Today we are sharing that, as the result of the data breach, it has been confirmed that the partial personal information for up to 70 million individuals was also stolen. These are two distinct groups and are not linked,” Target manager of public relations Molly Snyder told Threatpost over email this afternoon. “While there may some overlap between the two groups (the 40 million and the 70 million) but we don’t know to what extent at this time.”

Target said it will be contacting affected customers by email.

“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Gregg Steinhafel, chairman, president and chief executive officer, Target in a statement. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”

Target said it is offering individuals who shopped at its U.S. locations one year of free credit monitoring and identity theft protection.

Target’s most recent announcement also accompanied an update to its fourth quarter financial outlook; the company announced it will miss Wall Street projections significantly, perhaps by as much as $.40, and projects a sales decline of 2.5 percent. Target’s initial guidance was flat.

The announcement said fourth quarter sales were on an upward track prior to the breach announcement on Dec. 18; hackers reportedly had access to Target systems from Nov. 27, the day before Thanksgiving, to Dec. 15, the peak of the holiday shopping season. Post breach announcement, Target’s release today said sales were “meaningfully weaker than expected,” and it expects a sales decline of 2 percent to 6 percent for the remainder of Q4.

Target has provided a number of updates since the initial breach announcement, each one refuting a previous claim or informing customers that the scope of the breach had worsened.

Soon after the initial announcement which said only track data was stolen, Target amended that with an announcement that hackers had also made off with encrypted PIN data. Target assured customers the PINs were safe, but security experts cautioned that despite the use of 3DES encryption, there were still ways that determined, resourced hackers could decrypt the information and begin to clone ATM cards, for example.

Target said PIN data is encrypted at the point of sale terminal and decrypted only at its payment processor. The key, Target said, is not stored with the retailer and is never sent in transit with the PIN data. Experts told Threatpost that the PIN data is likely secure unless hackers get access to the key or the machine storing the key.

“Most people object to 3DES because it’s an ancient algorithm that was designed as a patch for (now broken) DES until AES was finalized,” said Matthew Green, a cryptographer and professor at Johns Hopkins University. “Now we’ve had AES for more than a decade, it’s questionable why we’d be using 3DES.”

The Payment Card Industry Data Security Standard (PCI-DSS), which governs how retailers secure payment card data and transactions, mandates unique keys for every payment terminal, limiting the scale of risk brought by the breach, experts said. That of course assumes Target is PCI compliant.

This article was updated at 3:30 p.m. ET with clarification and comment from Target.

Microsoft Expected to Patch XP Zero Day on Patch Tuesday

Threatpost for B2B - Fri, 01/10/2014 - 12:05

Microsoft announced Thursday that it plans to release four bulletins next week as part of the year’s first batch of Patch Tuesday security updates, none of which are rated critical.

Despite the relatively light load, the patches do address a zero-day vulnerability in Windows XP and Windows Server 2003 made public in early November. Hackers were actively exploiting the flaw in the ND Proxy driver that manages Microsoft’s Telephony API on XP via infected PDF attachments. Exploits work only in conjunction with an Adobe Reader vulnerability that has since been patched.

In addition to Microsoft patches, expect a fresh batch of Adobe patches as well as Oracle’s quarterly Critical Patch Update, which is generally a massive patch rollout that now includes Java patches.

The Microsoft bulletins will address vulnerabilities in Windows, Office and Dynamics AX, all which Microsoft has deemed important, including the zero-day fixes.

“It’s only rated important for a variety of reasons, including the fact that Microsoft will end support for XP in April,” said Russ Ernst, a director of product management at Lumension. “If you’re still using XP, this will be an important patch to deploy. And, hopefully you are working on your migration plan.”

According to a post on Microsoft’s Security Response Center blog by Dustin Childs, MS14-002, will address the zero day, and he acknowledged they were working on a patch for the issue – which stems from a vulnerability in the kernel and allows local privilege escalation and access to the kernel – back in December.

“We have only seen this issue used in conjunction with a PDF exploit in targeted attacks, and not on its own,” Childs said.

Microsoft has used the zero-day vulnerability as a prime opportunity to urge Windows users to migrate off XP. The company previously announced its plans to effectively end support for the operating system on April 8.

The first bulletin will address a remote code execution in Microsoft’s Sharepoint Server and Microsoft Word, the third will fix an elevation of privilege in Windows 7 and Server 2008 R2 and the last bulletin will fix a denial of service (DoS) issue in Microsoft’s enterprise resource planning software, Dynamics AX.

Per usual Microsoft will push updates for the software in question next Tuesday and post patch analysis and deployment guidance on its Security Response Center blog.

Flaws Plague Leading Mobile Banking Apps

Threatpost for B2B - Fri, 01/10/2014 - 11:59

An alarming percentage of mobile banking applications for iOS fail to implement basic protections that would safeguard against man-in-the-middle attacks, session hijacking, memory corruption, and credential theft.

Ariel Sanchez, a researcher with IOActive based in Argentina, put 40 mobile apps from 60 leading banks worldwide through a series of tests that analyzed the security of their transport mechanism, compiler, user interface, storage, logging and binaries.

IOActive reported the vulnerabilities to the respective banks, Sanchez said, but to date, none of the banks have reported patching any of the security issues.

Sanchez said the most worrisome problem he discovered came during static analysis of each app’s binary code was the number of hardcoded development credentials buried in the binaries.

“This vulnerability could be used to gain access to the development infrastructure of the bank and infect the application with malware, causing a massive infection for all of the application’s users,” Sanchez said.

Sanchez said 90 percent of the applications he looked at sent users to a number of links that were not encrypted with SSL, while close to half of the apps did not validate the SSL certificates presented, putting customers at risk to man-in-the-middle attacks where an attacker could inject malicious javascript or HTML code as part of a phishing scam, for example.

“I think that more of these mobile banking apps are using non-SSL links because, in some cases, they don’t see how all these non-SSL links can be use to compromise the app and the customer using these apps.”

Sanchez also found serious issues in 50 percent of the apps’ iOS UIWebView implementations, in particular there were occasions where native iOS functionality was exposed where a javascript attack could be used to inject a phony HTML log-in form that could lead to credential theft. Compounding the authentication issue is the reluctance of 70 percent of the banks to require a second form of authentication, sometimes sent via SMS message.

Only 10 percent of the apps, Sanchez said, had jailbreak detection capabilities. Attackers, using a jailbroken iPhone, for example, could load any number of illicit debugging tools and find vulnerabilities on a device.

Sanchez also discovered that the apps leak information via system logs and crash reports. An attacker intercepting a crash report, for example, could learn a wealth of system information that could allow them to build targeted exploits. A similar issue was recently reported with Microsoft Windows Error Reporting, which are sent by default by the operating system to Microsoft unencrypted.

“Someone with the right skills could use this information to detect potential bugs and after some research could develop an exploit or malware to compromise the customers of the affected banking apps,” Sanchez said. “We could say that it is the first step for a potential security threat.”

Sanchez’s static analysis of app binaries revealed additional information leaks such as internal IP addresses and file system paths as well as the use of unencrypted SQLite databases to store information or the transmission of activation codes in plaintext.

The lack of encryption puts any data the app interacts with at risk, Sanchez said.

“You only need the binary of the app, and also one tool to decrypt the code and another to disassemble the code,” he said. “There is a large number of public papers where it describes how to decrypt and disassemble the code of these apps. Someone with some time and without any expertise can easily follow it.”

Critics Cut Deep on Yahoo Mail Encryption Rollout

Threatpost for B2B - Thu, 01/09/2014 - 12:17

Yahoo, as promised, rolled out HTTPs by default this week for its email service, bringing it in line with other Internet companies that have been securing users’ communication for years.

But if Yahoo expected applause from security experts, it can think again. The response from those well-versed in crypto has been as half-hearted as those experts perceive Yahoo’s efforts to be.

“Yahoo’s announcement that it has enabled HTTPS encryption for all Yahoo Mail users is not only too little too late, but also quite troubling,” said Metasploit senior engineering manager Tod Beardsley.

Specifically, Beardsley and others are troubled by Yahoo’s lack of support for Perfect Forward Secrecy, a technology that ensures sessions are secured by randomly generated ephemeral public keys, a strategy that prevents an attacker from later using a stolen private key to decrypt recorded encrypted sessions. Perfect Forward Secrecy is enabled on major sites and services such as Twitter, Facebook and Google, which use the Elliptical Curve Diffie-Hellman Exchange, Beardsley said, which generates a one-time key making it difficult for an attacker to later use private keys to decrypt the data.

“For a website that deals with a lot of personal information, I would say [forward secrecy] is essential,” said Ivan Ristic, director of application research at security company Qualys. “A powerful adversary could collect encrypted network traffic, wait patiently and then obtain the server private key in some way (either with a warrant, illegally, or by breaking the key eventually). Once the key is obtained, all past traffic can be decrypted.

“With Forward Secrecy, each connection is separately encrypted, requiring each connection to be individually broken (which is many, many, many times harder than breaking a single key),” Ristic said.

Ristic did a deep dive into Yahoo’s encryption implementation, and told Threatpost the company uses different SSL configurations on many of its sites, including Yahoo.com, log-in pages and mail pages. Weak crypto implementations plague Yahoo across the board, from its use of the broken RC4 algorithm in some spots, to the use of TLS compression, which was determined to be insecure in 2012, Ristic said.

“They use RC4 with all browsers, except with IE11 (but only because this browser does not support RC4 by default),” Ristic said. “This is an unfortunate choice, given that RC4 was broken in early 2013 and that non-broken ciphers are available. The risk from RC4 exploitation is low, however. Still, they should have used TLS 1.2 suites, and ideally the authenticated GCM suites.”

Ristic shared data from his analysis of four Yahoo mail servers and found that the majority did not have TLS 1.2 enabled, and none had HTTP Strict Transport Security enabled, a feature he said ensures sessions are encrypted even if users are lured to an HTTP site.

“HSTS is difficult to deploy if your architecture is complex, and for that reason Yahoo might need significant time to deploy it (and consistently),” said Ristic. Yahoo has not made its encryption road map public, and it’s unknown whether it plans to deploy HSTS or Forward Secrecy.

“As for deployment challenges, I am sure there are many. With exception of HSTS (which might require deep software changes), all these other issues are easy to fix on a standalone server (support TLS 1.2, disable compression, enable Forward Secrecy, etc),” Ristic said. “The challenge is rolling out the changes across your entire infrastructure. I can’t speak in detail, because I am not familiar with their infrastructure.”

Good timing is also not on Yahoo’s side, considering that it is still recovering from an attack on its European sites. Hackers had infiltrated Yahoo’s third-party ad service, which was not only serving malicious ads that redirected millions of visitors to hacker sites hosting financial malware, but were also turning those machines into bots for Bitcoin mining. The BBC reported that attackers were using the combined computing power of those machines to generate the cryptocurrency.

That’s a relatively minor infraction compared to the perceived minimal crypto deployed by Yahoo. Encryption is heralded as the best current defense against government surveillance, and SSL should be considered a minimum standard, Seth Schoen, senior staff technologist at the Electronic Frontier Foundation, told Threatpost in October. It was then when Yahoo announced it was finally catching up to the rest of the pack and turning on SSL by default for Yahoo mail.

Christopher Soghoian, principal technologist and senior policy analyst with the American Civil Liberties Union, slammed Yahoo’s delay in October because of the relative simplicity with which hackers or governments can conduct surveillance on Web traffic, including email, without encryption.

“The threat is real,” Soghoian said. “Whether the entity monitoring is the NSA or an identity thief at Starbucks, it has long been known that tools exist to allow interception.”

Siemens Fixes Authentication Bugs in Scalance X-200 Switches

Threatpost for B2B - Thu, 01/09/2014 - 11:58

Researchers have discovered two serious vulnerabilities in industrial Ethernet switches manufactured by Siemens that could enable attackers to perform unauthorized actions on the switches without authentication. One of the bugs allows attackers to hijack Web sessions and the other enables them to perform admin tasks on the switches.

The vulnerabilities were discovered by researchers at IOActive and Siemens has released patches for the bugs in the Siemens SCALANCE X-200 switches.

“SCALANCE X-200 switches are used to connect industrial components like Programmable Logic Controllers (PLCs) or Human Machine Interfaces (HMIs). The switches offer a web interface to enable users to change the configuration using a common web browser. An issue in the web server’s authentication of the affected products might allow attackers to hijack web sessions over the network without authentication,” the Siemens advisory says.

The vulnerabilities lie in the authentication system of the switches, and Siemens said that attackers could use the flaws to bypass authentication and take actions on the switches that shouldn’t be possible.

“The authentication of the integrated web server of SCALANCE X-200 switches might allow attackers to hijack web sessions over the network without authentication due to insufficient entropy in its random number generator.”

IOActive researcher Eireann Leverett, who discovered the vulnerabilities, said that the Siemens security response team was quick to acknowledge his findings and set to work on a fix immediately.

“Siemens ProductCERT were professional, courteous, and did not adopt an adversarial attitude when I contacted them about the vulnerabilities. Consequently, we were able to clarify the vulnerabilities quickly, and they produced a patch within three months,” said Leverett. “I challenge other ICS vendors to match this timeline for security patching in the future.”

That kind of response is relatively rare in the ICS and SCADA software and hardware world, which lags quite a bit behind traditional software vendors in their security response processes. Tales of researchers waiting months, or in some cases years, for responses or patches for vulnerabilities they’ve reported in industrial control software and SCADA systems are not uncommon. That seems to be changing slowly, as researchers are increasingly spending more time and energy looking for vulnerabilities in these products, as are attackers.

Syndicate content