Threatpost for B2B

Syndicate content
The First Stop For Security News
Updated: 9 hours 28 min ago

Seriousness of OpenSSL Heartbleed Bug Sets In

Tue, 04/08/2014 - 10:00

UPDATE–Site operators and software vendors are scrambling to fix the OpenSSL heartbleed bug revealed Monday, a vulnerability that enables an attacker to extract 64 KB of memory per request from a server. Attacks can leak private keys, usernames and passwords and other sensitive data, and some large sites, including Yahoo Mail and others, are vulnerable right now.

The vulnerability exists in OpenSSL 1.0.1f and older versions and the maintainers released a patch for the flaw on Monday. However, now that the details of the vulnerability are public, researchers have begun digging into it and several tools have been published to test various domains to see whether they’re vulnerable. Some high-profile sites, including Yahoo Mail, Lastpass, the OpenSSL site and the main FBI site have been confirmed to leak certain information via the bug. There also is a proof-of-concept exploit for the flaw posted on Github.

Lastpass officials said that they patched the vulnerability Tuesday morning, and that user data was never at risk. The company was running a vulnerable version of OpenSSL, but had other security measures in place that mitigated the risk.

“However, LastPass is unique in that your data is also encrypted with a key that LastPass servers don’t have access to. Your sensitive data is never transmitted over SSL unencrypted – it’s already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers’ encrypted data due to our extra layers of protection. On the majority of the web, user data is not encrypted before being transmitted over SSL, hence the widespread concern,” the company said in a blog post.

“Also, LastPass has employed a feature called “perfect forward secrecy”. This ensures that when security keys are changed, past and future traffic also can’t be decrypted even when a particular security key is compromised. ”

The vulnerability lies in the way that OpenSSL handles the heartbeat extension in the TLS protocol.

A missing bounds check allows an attacker to read up to 64 KB of memory on a machine protected by OpenSSL.

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users,” a description of the vulnerability written by Codenomicon says.

OpenSSL is perhaps the most widely deployed SSL library and appears in a wide variety of applications, including a number of Linux distributions. Red Hat and Ubuntu already have issued patches for the vulnerability.

But the larger problem is that many SSL certificates could be compromised now, as the secret key that protects a given certificate could be disclosed in an attack on this vulnerability. The process of revoking and reissuing those certificates could go on for a long time, depending upon how many organizations realize their sites are vulnerable and how quickly they respond.

“It’s a nightmare vulnerability, since it potentially leaks your long term secret key — the one that corresponds with your server certificate. Worse, there’s no way to tell if you’ve been exploited. That means the prudent thing to do now is revoke your certificate and get a new one. We’ll see how many people do that,” said cryptographer Matthew Green, a professor at Johns Hopkins University.

The vulnerability in OpenSSL appears to have been introduced two years ago. A test site that enables users to enter domains to check their vulnerability status has been up since Monday.

Ivan Ristic, director of application security research at Qualys, said that the OpenSSL heartbleed flaw is potentially quite damaging for many organizations because of the ease of exploitation and the implications of a successful attack.

“This vulnerability is very easy to exploit. It’s very easy to build from scratch (starting with the OpenSSL diff), and there are also several tools that can be downloaded and used, in a matter of minutes,” Ristic said.

“According to the SSL Pulse statistics, about 32% of the servers in that data set support TLS 1.2. Chances are most of them run OpenSSL, and are thus vulnerable. So that’s a very large number of servers. Because this is so easy to exploit, we’re already seeing many attacks. Servers that did not have Forward Secrecy are the most vulnerable, because a serious adversary, who has a recording of the encrypted site traffic, might now be able to easily recover the site’s private key and use it to decrypt traffic retroactively.”

This article was updated on April 8 to include information from Lastpass.

The Muddy Waters of XP End-of-Life and Public Disclosures

Tue, 04/08/2014 - 06:03

Windows XP security support ends Tuesday and until now, most of the public hand-wringing over XP’s end-of-life has been about the potential for malware outbreaks against unpatched vulnerabilities that have been stockpiled by hackers anxiously awaiting April 8, 2014.

But what about vulnerabilities in XP that have been responsibly shared with Microsoft and won’t be fixed? Those too are perpetual zero-days after Tuesday.

Microsoft has made huge strides in developing trusted relationships with security researchers who are actively submitting bugs to Microsoft across its product lines. For Microsoft’s part, it has done outreach to researchers, clarified disclosure policies and processes and established bounty programs for bypasses of innate Windows mitigations.

And Microsoft isn’t to be faulted for its business decision made long ago to end extended support for XP that includes security patches. Yet the fact remains whatever XP systems remain in circulation after tomorrow will be exposed and that brings up questions, such as: How will white or gray hats respond? For example, will there be a firestorm of public disclosures in the coming weeks?

“I know a subset of people who have disclosed stuff [in XP] to Microsoft that has not been patched, and that’s given what I know. I’m sure there’s more I don’t know of,” said Ross Barrett, senior manager of security engineering at Rapid7. “I wouldn’t encourage researchers to publically disclose their researche because they think that might make Microsoft issue a patch, because that’s not going to happen. The only result is that it would increase the exposure for people at large.

“It’s a muddy bit of water,” Barrett said. “Microsoft has been good about dealing with researchers who have been doing the right thing by following responsible disclosure procedures, but now they’re not seeing action.”

Microsoft did not respond to a request for comment in time for publication.

HP’s Zero Day Initiative, which buys vulnerabilities and exploits from researchers and shares them first with customers and then the affected vendor, has 203 advisories pending public disclosure listed on its website, 54 of which are Microsoft vulnerabilities going back a year. The website doesn’t list the specific Microsoft product affected, but Microsoft has more than any other major vendor on the list.

“I’m sure there’s tons of stuff still out there; some of it is design flaw stuff that Microsoft can’t fix or never got around to it,” Barrett said. “I’m sure there’s a backlog of stuff, but the clock has run out on XP.”

Microsoft has already announced its final XP patch, a fix for a zero-day in Word that will be available Tuesday (Office 2003 support also ends Tuesday). The fear among some experts is that hackers will look at Microsoft security bulletins for vulnerabilities in supported products and trace those back to their potential exploitability in XP.

“Absolutely hackers do that,” Barrett said. “If you’ve got a vulnerability in this file, they’ll track it back to a particular DLL and see that it’s been part of the OS since 2002 and not updated since 2004, they’ll know it’s vulnerable.

“You might see a golden age of XP vulnerabilities for the next four to six months when adoption of XP is still relatively high and countermeasures are no longer in place. Then you’ll start to see it fade as it’s less used.”

Qualys CTO Wolfgang Kandek has been tracking XP use in certain industries through the company’s vulnerability scanner. Financial institutions still have the highest use of XP at 21 percent, followed by transportation at 14 percent (though this has dropped from 55 percent 12 months ago). Retail, another industry run ragged by hackers, is also at 14 percent. Support for Windows XP Embedded, which runs inside a number of consumer and commercial devices in these industries, does not run out until Jan. 12, 2016.

“This is an additional weakness for these (retail) systems,” Kandek said. “There are already problems with remote management, default passwords that work everywhere, a bunch of things that were done to make management easier that were not configured well. This just adds to it.”

Kandek said that roughly 70 percent of vulnerabilities that were patched in 2013 were found in Windows 8 through XP.

“I don’t see why that would stop in May, June or July. Attackers can use that knowledge as pointer into XP to find if a vulnerability exists. It’s an accelerator for them. My feeling is that after two or three months, there will be tools in public that reliably exploit XP. I can definitely see how that would make an attacker’s work much easier.”

OpenSSL Fixes Serious TLS Vulnerability

Mon, 04/07/2014 - 16:23

The maintainers of the OpenSSL library, one of the more widely deployed cryptographic libraries on the Web, have fixed a serious vulnerability that could have resulted in the revelation of 64 KB of memory to any client or server that was connected.

The details of the vulnerability, fixed in version 1.0.1g of OpenSSL, are somewhat scarce.

The OpenSSL Project site says that the bug doesn’t affect versions prior to 1.0.1.

“A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server,” the OpenSSL release notes for 1.0.1g say.

The OpenSSL library is deployed in a huge number of operating systems and applications, including a wide variety of Unix and Linux distributions, as well as OS X. Popular Web servers such as Nginx and Apache also are affected. Some major cloud-based applications and platforms, including CloudFlare. That company’s engineers implemented a fix for the OpenSSL vulnerability last week, before the details of the bug were disclosed.

“OpenSSL is the core cryptographic library CloudFlare uses for SSL/TLS connections. If your site is on CloudFlare, every connection made to the HTTPS version of your site goes through this library. As one of the largest deployments of OpenSSL on the Internet today, CloudFlare has a responsibility to be vigilant about fixing these types of bugs before they go public and attackers start exploiting them and putting our customers at risk,” Nick Sullivan of CloudFlare wrote in a blog post.

“We encourage everyone else running a server that uses OpenSSL to upgrade to version 1.0.1g to be protected from this vulnerability. For previous versions of OpenSSL, re-compiling with the OPENSSL_NO_HEARTBEATS flag enabled will protect against this vulnerability. OpenSSL 1.0.2 will be fixed in 1.0.2-beta2.”

The folks at Codenomicon have put together an FAQ on the bug, which they’ve dubbed the Heartbleed vulnerability. Their explanation says that the flaw could enable anyone on the Internet to read the memory of a machine that’s protected by a vulnerable version of the library.

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users,” the description says.

“You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.”

OpenSSL 1.0.1g also includes a fix that addresses a certain variety of side-channel attack.

“The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack,” the CVE entry for the bug says.

New Zeus Variant Comes Complete With a Signed Certificate

Mon, 04/07/2014 - 14:51

Yet another variant of the Zeus banking Trojan has surfaced; this one comes disguised as an Internet Explorer document and uses an authentic digital certificate to download a rootkit onto infected machines.

According to researchers at the SSL firm Comodo, more than 200 examples of the Trojan have been discovered in the wild so far.

Launched via a simple Man-in-the-Browser (MitB) attack, the Trojan relies on a user either downloading a suspicious attachment in an email or being hit with the exploit. From there the fake IE document goes ahead and does some fairly routine Zeus things like stealing user data entered into web forms, login credentials, and credit card information, in order to perpetuate financial fraud.

What’s interesting is that Comodo claims the bogus IE file is signed with a seemingly legitimate certificate from the Swiss software development firm Isonet AG, something that’s allowed the malware to proceed undetected by antivirus systems.

Once it runs the file copies itself to memory, is executed and rootkit components from two locations are downloaded. The rootkit is decrypted into a driver and installed in the Boot Bus Extender group, making certain it can run before other drivers, something that helps keeps the Trojan even more covert.

“Its purpose is to protect malicious files and auto-run entries from being deleted by user or antivirus software, increasing difficulty of the removal process,” Comodo wrote in a description of the malware last Thursday.

Using fake and stolen SSL certificates has become commonplace among criminals looking to con users and put their machines at risk, it was just a few months ago that a slew of fake certificates were caught masquerading as legitimate ones from services like Facebook, YouTube and iTunes.

In the wake of big name CA hacks like GlobalSign and DigiNotar over the last few years,  Google updated all of its SSL certificates to 2048-bit RSA up from 1024 last fall and is in the midst of limiting certificate validity to 60 months, along with Mozilla, in hopes of preventing further subordinate certificate abuse.

When it comes to certificate abuse, Comodo found itself in the news back in 2011 when it accidentally granted a certificate to an Iranian hacker who went on to issue himself a handful of valid certificates for Google, Yahoo, Skype, Mozilla, and others domains. Comodo was quick to revoke the fraudulent certificates and deploy additional audits and controls to combat future incidents.

Crypto Model Based on Human Cardiorespiratory Coupling

Mon, 04/07/2014 - 14:21

P { margin-bottom: 0.08in; }A:link { }
-->A novel and theoretical encryption scheme inspired by new insights into the way that the human heart and lungs communicate is said to be substantially different than existing crypto-methods and highly resistant to conventional attacks.

The research was undertaken and published by Professors Tomislav Stankovski, Peter McClintock, and Aneta Stefanovska from the Department of Physics at the United Kingdom’s Lancaster University.

“Here we offer a novel encryption scheme derived from biology, radically different from any earlier procedure,” said Stankovski. “Inspired by the time-varying nature of the cardio-respiratory coupling functions recently discovered in humans, we propose a new encryption scheme that is highly resistant to conventional methods of attack.”

Under this new cryptographic scheme, the sender’s communications would be encrypted as time variations of coupling functions from a pair of dynamical systems. These encrypted communications would then travel to and be decrypted by a second pair of identical dynamical systems using the same coupling functions. This, the researchers explain, is analogous to the way in which the human heart and lungs work to communicate with one another.

According to an introduction to the concept posted by the Computer Science Department at Brown University, “Dynamical systems are mathematical objects used to model physical phenomena whose state (or instantaneous description) changes over time. These models are used in financial and economic forecasting, environmental modeling, medical diagnosis, industrial equipment diagnosis, and a host of other applications.”

For a bit of context, the researchers explain that a recent discovery in the field of biology demonstrated that cardiorespiratory coupling functions can be broken down into a number of independent functions and that those functions are of a time-varying nature. In other, simpler words: these coupling functions can essentially be deconstructed and used as ciphers.

“As so often happens with important breakthroughs,” said Professor Stefanovska, “this discovery was made right on the boundary between two different subjects – because we were applying physics to biology.”

These findings, they explain, result in complicated biomedical functions that can be applied to the production of efficient and modular secure communications.

“The use of coupling functions in this way confers an unbounded number of encryption possibilities,” the researchers wrote in a popular summary of their work. “We demonstrate that the scheme enables more than one signal to be transmitted/received simultaneously and that it is exceptionally robust against external noise.”

Using coupling functions instead of standard cryptographic methods increases security by offering a greater degree of freedom in the encryption process without changing the qualitative state of the system. Thus, the researchers believe their method is a significant conceptual advance to the field of cryptography.

Furthermore, the scheme, the researcher claim, is highly modular, which enables it to be implemented in a wide array of different applications and communications protocols.

“This promises an encryption scheme that is so nearly unbreakable that it will be equally unwelcome to internet criminals and official eavesdroppers,” McClintock claims.

The advantage here, the researchers write, is that the new method offers an infinite number of choices for the secret encryption key shared between the sender and the receiver. This makes it virtually impossible for hackers and eavesdroppers to crack the code.

“Unlike all earlier encryption procedures, this cipher makes use of the coupling functions between interacting dynamical systems,” the researchers wrote. “It results in an unbounded number of encryption key possibilities, allows the transmission or reception of more than one signal simultaneously, and is robust against external noise. Thus, the information signals are encrypted as the time variations of linearly independent coupling functions.”

You can read a PDF version of their short but dense paper here and view a diagram illustrating how their method works below:

Crypto Model Based on Human Cardiorespiratory Coupling

Connecting the Dots Between Cookies and Identities

Mon, 04/07/2014 - 13:23

A team of computer science engineers from Princeton have released a paper that explains how an adversary with a passive presence on a network or Internet backbone could track individuals by observing HTTP cookies.

The motivation for the project was news in December that the National Security Agency had the capability to access Google’s PREF cookies to conduct surveillance on individual targets. PREF cookies are preferences cookies that websites reference to learn a user’s preferred language for localization purposes and other personalization features.

Since much isn’t known in detail about how the NSA gathers PREF cookies, the Princeton team decided to take more of a high-level approach with their experiment in order to connect the dots between the cookies that are dropped on a user’s machine as they surf the Web in order to establish their real-world identity.

Assuming an adversary, whether a criminal or intelligence agency, has a presence on the network, the working premise here is that the first- and third-party cookies dropped by sites and advertisers can be used to tie a user to web traffic without having to worry about dynamic IP addresses,” said the paper, “Cookies that give you away: Evaluating the surveillance implications of web tacking,” written by Dillon Reisman, Steven Englehardt, Christian Eubank, Peter Zimmerman, and Arvind Narayanan. Also, HTTPS doesn’t seem to be an issue in this case because, the paper said, many websites where users are logged in may already reveal their identity in plain text.

“Thus, an adversary that can wiretap the network can not only cluster together the web pages visited by a user, but can then attach real-world identities to those clusters. This technique relies on nothing other than the network traffic itself for identifying targets,” the paper said. “Even if a user’s identity isn’t leaked in plaintext, if the adversary in question has subpoena power they could compel the disclosure of an identity corresponding to a cookie, or vice versa.”

The paper illustrates the researchers’ theory. The attacker passively monitors a user’s web traffic. Each time a user lands on a webpage, cookies are dropped, but the adversary is unable to begin connecting those dots until there are more than two sites visited.

“The unique cookie from X connects A and C while the one from Y connects B and C. We assume here that the user has visited pages with both trackers before so that cookies have already been set in her browser and will be sent with each request.”

The experiment modeled user behavior online, a supposition that a user visits up to 300 websites during a two-three month period, and looks for components that will connect users to their identity. The paper said that 90 percent of visits are able to be clustered in this way.

“It applies even if the adversary is able to observe only a small, random subset of the user’s requests,” the paper said. “We find that on average, over two-thirds of time, a web page visited by a user has third-party trackers.”

The researchers also learned that 60 percent of the top 50 Alexa websites transmit identifying information in plaintext, such as a user’s name or email address, once a user is logged in, greatly enhancing the experiment’s chances of success.

An attacker interested in monitoring the web activities of a target or set of targets can scan for identity information in the plaintext HTTP traffic or target the cookie ID from a first-party page, the paper said. The researchers said this starting point enables the attacker to “transitively” connect the first-party cookie to other first- and third-party cookies to tie an identity to a cluster of traffic.

“We hope that these findings will inform the policy debate on both surveillance and the web tracking ecosystem,” the paper said. “We also hope that it will raise awareness of privacy breaches via subtle inference techniques.”

Chrome Adds Ability to Force Ephemeral Mode

Mon, 04/07/2014 - 10:16

Google has made a subtle change to the admin console in its Chrome browser, which is used in enterprise environments to help set policies for employee use, which will allow administrators to force users to browse in ephemeral mode.

The change won’t have any effect on typical individual users who run Chrome in an unmanaged environment, such as a home machine or enterprise that doesn’t use the admin console. But for administrators in environments where they’re managing a lot of users running Chrome, the ability to force ephemeral mode is a helpful tool in the fight against data loss and other security problems.

Ephemeral mode is a function that allows users to browse the Web on a shared device or a personal laptop by using a profile that won’t save any data or history after the browser is closed. The profile is saved to the machine’s disk and the user has the ability to sign in to Chrome Sync, but once the user closes the browser at the end of the session, the profile is destroyed.

“If Google Chrome Sync is enabled, any changes that the user makes to the browser’s settings or to their Chrome data (such as bookmarks, history, apps etc.) during an ephemeral session will be saved for future sessions. The settings are saved in the user’s Google account in the cloud. If Google Chrome Sync is not enabled, any changes are lost when the user exits the browser,” Google’s documentation on the feature says.

Ephemeral mode is somewhat similar to incognito mode, a feature of the Chrome browser that enables users to browse without any personal settings or without Chrome saving cookies, history or any other identifying information. But there are a few key differences between ephemeral and incognito modes. Most importantly, a user has the ability to choose when or if to use incognito mode.

With ephemeral mode, administrators set that as a policy on a global basis. Also, in ephemeral mode, users have access to their Chrome settings and bookmarks through Chrome Sync. Incognito mode does not allow users to access personal settings.

Despite the advantages that ephemeral mode provides, it does still count on the user for some of it.

“When ephemeral mode is set at the user level in the Google Admin console, it relies on the user to sign in to Chrome for sync benefits and for the policy to take effect. The policy should only be used on devices that the user trusts and that are compliant with other corporate policies.” Google says.