Feed aggregator

GnuTLS Certificate Verification Flaw Exposes Linux Distros, Apps to Attack

Threatpost for B2B - Tue, 03/04/2014 - 18:19

GnuTLS, an open source SSL and TLS implementation used in hundreds of software packages including Red Hat desktop and server products and all Debian and Ubuntu Linux distributions, is the latest crypto package to improperly verify digital certificates as authentic. The vulnerability, discovered and reported yesterday by engineers at Red Hat, puts any site or application dependent on GnuTLS at risk for exploit.

“It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification,” Red Hat said in an advisory issued Monday. “An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.”

The vulnerability has eerie similarities to a bug reported by Apple in its iOS mobile operating system and OS X for Mac computers. Now known as the goto fail bug, separate patches were issued for the vulnerability which removed SSL certificate checks from the respective operating systems.

“This really is as bad as it gets,” said Kenneth White, a security expert and principal scientist at Social & Scientific Systems in North Carolina. “An attacker can trivially forge any arbitrary domain and make it appear authoritative and trusted to the requestor. So, not only interception of sensitive channels, but [also] potentially subverting the trusted package signature process as well.”

White estimates there are more than 350 packages that rely on GnuTLS crypto libraries; in addition to popular Linux distributions, core crypto and mail libraries such as libcrypt and libmailutils, and cURL are affected.

“cURL (libcurl3-gnutls), in turn is used by the package updating system both for OpenPGP (gnupg2 and gnupg-curltransport), as well as the system package updater itself (apt-transport-https),” White said. “But what is especially difficult, is understanding the myriad downstream dependencies, such as XML parsers, etc. In general, Debian & Ubuntu have eschewed OpenSSL for license reasons, so there actually exist Nginx and Apache installs that use gnutls as well.”

GnuTLS issued an advisory, confirming the vulnerability and that it was discovered during an audit of GnuTLS for Red Hat. It urges users to upgrade to the latest GnuTLS version 3.2.12 or 3.1.22 or to apply a patch for GnuTLS 2.12x. Red Hat Enterprise Linux Desktop, HPC Node, Server and Workstation v 6, as well as Red Hat Enterprise Linux Server AUS and EUS v 6.5 are affected, Red Hat said in its advisory.

The recent Apple bug brought this issue to the forefront. Apple released a patch on Feb. 21 for iOS and days later for OS X. An attacker with man in the middle positioning on a network could present an invalid certificate that would pass checks normally designed to reject such a cert. The attacker would then be able to monitor communication and network traffic thought to be secure.

Report Urges Protection of Electric Grid from Cyberattacks

Threatpost for B2B - Tue, 03/04/2014 - 17:11

Critical infrastructure policymakers are advocating the foundation of a new entity, the Institute for Electric Grid Cybersecurity, along with a new set of guidelines, to better protect the North American electric grid from cyber-attacks and determine how to respond if the grid is ever compromised.

The initiative was described in a new report (.PDF) issued by the Bipartisan Policy Center. The report was authored by a handful of officials from across the industry, including former National Security Agency and C.I.A. Director Gen. Michael Hayden.

Hayden appeared on a panel last Friday to discuss the paper at the Bipartisan Policy Center in Washington, D.C. where the rest of the report’s authors discussed their recommendations. The group is largely encouraging government agencies and private entities to strengthen the system that’s in place before it’s inevitably attacked.

Calling it a domain that favors the attacker, Hayden called the threats “almost self-evident,” before going on to reference the adversaries who want to “degrade, disrupt, deny, destroy” networks and the hackers out there responsible for “recreational espionage.”

Hayden was joined by Curt Hébert, a partner at Mississippi law firm Brunini, Grantham, Grower & Hewes, Paul Stockton, a Managing Director at economic advisory firm Sonecon, and Scott Aaronson, the Senior Director of National Security Policy for the Edison Electric Institute.

Throughout Friday’s panel, the men made several references to the staggering $6 billion costs that were attributed to the 2003 Northeast blackout of August 2003. While that blackout was ultimately blamed on an errant tree branch, that idea, the concept of a multiday outage, is a spectre that still looms over the electrical grid.

Hébert, who formerly chaired the Federal Energy Regulatory Commission, at one point called electricity “the most critical of the infrastructures,” mentioning the blackout and the difficulties associated with restoring sectors like telecom and healthcare. Hébert insisted that the industry has to do a better job understanding the need for mandatory standards, adding that while the NERC has done a good job working with the federal regulatory commission, there are still risks that need to be mitigated.

Hébert described the new organization, claiming it would need to be independent and tackle security from a holistic angle to ensure that everything “from the burner tip all the way down to the point that the kilowatt is actually given to the consumer” is protected.

The industry organization, tentatively titled the Institute for Electric Grid Cybersecurity is only mentioned twice in the 76-page report but the group claims that it could be loosely modeled on the Institute of Nuclear Power Operations, a group started in the wake of the accident at Three Mile Island in 1979 and involve “power sector participants” from across North America.

Those participants would ideally include local distribution utilities – there are 3,200 nationwide that delivery electricity – large generators and state utility regulators.

Still though Hayden acknowledged that to get a change to come, everyone would have to assume responsibility, most importantly the government.

“This cannot be done with just good will and executive action; it’s going to require Congress to actually face these issues and make some decisions that provide some legislative structure in terms of protection and responsibility that makes this more possible than it is today,” Hayden said.

The case for congressional action is clearly laid out in the report with one part recommending the Department of Energy allocate funds “to fully evaluate and understand systemic cyber risks” and “help regulators better evaluate the potential impacts of cyber attacks and provide needed context for weighing the benefits of utility investments in cybersecurity.”

“What permeates the report is that you can’t win this just defending the perimeter, you can’t win this with just prevention and defense ,” Hayden said.

“It’s the concept of resilience, what happens after things start to go wrong?”

As Matthew Wald, an energy reporter with the New York Times who moderated Friday’s panel reminded the audience, that’s exactly whats happening.

Things are going wrong.

Wald noted in the panel’s introduction that of the 250+ incidents reported to the Department of Homeland Security last year, two-thirds of them targeted the energy sector and grid.

One of the bigger problems with the grid came last year when two engineers Adam Crain and Chris Sistrunk discovered a vulnerability in an electrical communication protocol that’s widely used across the country. That vulnerability opened the floodgates and later led to a 20-page report “replete with vulnerabilities in 16 different system vendors.” According to a New York Times article from an October briefing the vulnerabilities, they affect a number of supervisory control and data acquisition systems (SCADA) and if used at a single, unmanned power substation, the vulnerabilities could result in “a widespread power outage.”

Triple Handshake Attacks Target TLS Resumption, Renegotiation

Threatpost for B2B - Tue, 03/04/2014 - 15:45

A team of researchers has published a paper that explains a number of attacks against websites and Web-based applications running TLS. The researchers’ techniques do not exploit implementation errors, the most common attack vector against encryption securing online communication, instead focus on exploiting features of the protocol that include session resumption followed by client authentication during session renegotiation.

The paper, called “Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS,” describes in detail how an attacker can use a man-in-the-middle attack to successfully impersonate a TLS client in attacks against TLS renegotiations, wireless networks, challenge-response protocols and channel-bound cookies.

Written by Karthikeyan Bhargavan, Antoine Delignat-Lavaud and Alfredo Pironti of the Prosecco research team at INRIA Paris-Rocquencourt, C’edric Fournet at Microsoft Research, Cambridge, and Pierre-Yves Strub of the IMDEA Software Institute, the paper demonstrates how an attacker could force a client running TLS to connect to an attacker-controlled server with an authenticated credential. The attacker’s server will then be able to impersonate the client at another server accepting the same credential, via single sign-on, for example.

“Concretely, the malicious server performs a man-in-the-middle attack on three successive handshakes between the honest client and server, and succeeds in impersonating the client on the third handshake,” the researchers wrote.

The researchers said their attacks work against leading browsers, VPN applications, and HTTPS libraries; different takes on the attacks that do not rely on renegotiation, for example, can enable spoofing of other TLS authentication such as PEAP, SASL and Channel ID.

“Our attacks exploit a lack of cross-connection binding when TLS sessions are resumed on new connections,” the researchers wrote. “Moreover, our attacks do not require an active network adversary but can be mounted only with a malicious server or website.”

The researchers dug into four TLS weaknesses, starting with a problem in the RSA handshake that enables impersonation via an unknown key-share attack, as well as another weakness in the Diffie-Hellman Exchange handshake where an attacker can use a man-in-the-middle attack between the client and server to steal sessions sharing the same keys, a different take on the same unknown key-share attack.

Session resumption on a new connection exhibits another weak link exploiting the fact that it uses an abbreviated handshake that can be forwarded between connections and accepted because it does not re-authenticate the client and server identities.

The fourth TLS issue happens during renegotiation, the researchers said, where the server and client certificates can change and applications are not properly instructed how to deal with changes and may not implement the best cert for the situation.

The researchers disclosed the vulnerabilities to a number of vendors, including the major browser vendors Apple, Google, Microsoft and Mozilla, all of which implemented a patch or some mitigation. OpenSSL, GnuTLS and GNU SASL said mitigations are pending.

Google Fixes Nearly 20 Bugs in Chrome 33

Threatpost for B2B - Tue, 03/04/2014 - 11:55

Google has fixed 19 security flaws in its Chrome browser, including more than a dozen high-risk bugs. The company paid out $3,500 in rewards to security researchers who reported flaws.

Two of the high-risk vulnerabilities fixed in Chrome 33 are use-after-free flaws, one in SVG images and the other in speech recognition. There’s also a heap buffer overflow in the software rendering. The full list of flaws that earned rewards from Google:

[$1000][344492] High CVE-2013-6663: Use-after-free in svg images. Credit to Atte Kettunen of OUSPG.
[$500][326854] High CVE-2013-6664: Use-after-free in speech recognition. Credit to Khalil Zhani.
[$2000][337882] High CVE-2013-6665: Heap buffer overflow in software rendering. Credit to cloudfuzzer.
[332023] Medium CVE-2013-6666: Chrome allows requests in flash header request. Credit to netfuzzerr.

In addition to the bugs found by external researchers, Google’s internal security team also found a large number of bugs that were fixed in this release. Google’s researchers found 11 high-risk bugs and four medium-risk vulnerabilities.

Verizon Updates Transparency Report with FISA Order Data

Threatpost for B2B - Tue, 03/04/2014 - 10:20

Verizon updated its transparency report yesterday, breaking down National Security Letter and Foreign Intelligence Surveillance Act (FISA) orders for the first and second halves of 2013.

The telecommunications giant released its first transparency report in late January, responding to pressure from privacy advocates to publish law enforcement and government requests for data in the wake of the Snowden leaks. AT&T has also published its first transparency report, though both AT&T and Verizon lag behind Internet companies such as Google, Facebook and Twitter that have been sharing data for more than a year.

Verizon’s update doesn’t radically stray from the numbers it shared in January; during the first six months of 2013, the telecom received between 0-999 National Security Letters and 0-999 FISA Orders for content and customer information. The same range of requests was true for the period between July 1 and Dec. 31, the company said.

This is the first time Verizon reported on FISA orders since a Department of Justice ruling eased a gag order on companies that prevented publishing of such data. The ruling was a concession after months of lobbying and lawsuits from Internet companies requesting greater transparency and to dispel the notion that they were complicit with government snooping on users by providing intelligence agencies and law enforcement direct access to company servers.

Now companies are allowed two reporting options, in ranges of 0-999 or specific numbers up to 250 requests and then in ranges of 250 thereafter. The DOJ also requires a six-month quiet period on FISA order requests.

“We welcome greater transparency in this area by telecommunications and internet companies, in the absence of broader information by the government collecting the data,” said Verizon general counsel Randal Milch. “We once again call on all governments to make public the number of demands they make for customer data from such companies, because that is the only way to provide the public with an accurate data set.”

Verizon also reported that between 4,000 and 4,999 customer selectors were targeted by National Security Letters and FISA Orders for content and user information. Selectors, Verizon said, are customer identifiers used by the company and that identifier is generally a phone number.

“The number of selectors is generally greater than the number of customer accounts,” Verizon said in a statement. “An NSL might ask for the names associated with two different telephone numbers; even if both phone numbers were assigned to the same customer account, we would count them as two selectors.”

Verizon reported on Jan. 22 that it also received 36,000 warrants requesting location information or stored content data from its landline, Internet and wireless services; the court-ordered location data requests, Verizon said, are growing in frequency every year.

“Verizon only produces location information in response to a warrant or order; we do not produce location information in response to a subpoena,” Verizon said in a statement at the time. Of the 35,000 requests, 24,000 were through court orders and the rest through warrants. It also received about 3,200 warrants or court orders for “cell tower dumps” where under a warrant or court order Verizon was compelled to identify the phone numbers of all phones that connected to a specific cell tower during a given period of time.

Cisco Challenging Programmers to Secure the Internet of Things

Threatpost for B2B - Mon, 03/03/2014 - 17:43

As seemingly every new gadget and electronic device is coming retrofitted with an Internet connection these days – appliances, cars and medical devices a few chief examples, the floodgates have opened ever wider for an alarming number of new attack vectors.

The burgeoning evolution of “Internet of Things,” (IoT) as the concept has colloquially become known over the last few years, has prompted Cisco Systems to issue a challenge to programmers to address these security issues before they go on to become bigger problems.

In what its dubbed the Internet of Things Security Grand Challenge the company is offering up to $300,000 in prize money to members of the global security community who propose the best practical security solutions “across the markets being impacted daily by the IoT.”

Cisco Security Group Senior VP Chris Young explains the contest of sorts on the company’s main blog, writing that $50,000 to $75,000 will be awarded to up to six recipients. According to the challenge’s site, the deadline for submissions will be June 17 and the winners will be announced at the company’s second annual Internet of Things World Forum in Barcelona, Spain later this year.

Young notes that proposals will be based on four criteria:

  • Feasibility, scalability, performance and ease-of-use
  • Applicability to address multiple IoT verticals (manufacturing, mass transportation, healthcare, oil and gas, smart grid, etc.
  • Technical maturity/viability of proposed approach
  • Proposers’ expertise and ability to feasibly create a successful outcome

“As our connected lives grow and become more richer, the need for a new security model becomes even more critical,” Young wrote.

The security instabilities of cars and medical devices have been made clear over the past several years. In 2013 researchers Chris Valasek and Charlie Miller published a thorough paper describing how they were able to hack some Ford and Toyota brand cars to control the steering, braking and other functions while they were driving. Meanwhile the Food and Drug Administration urged medical device manufacturers to take security more seriously last year, handing down a series of suggestions intended on shoring up often vulnerable devices like insulin pumps, pacemakers, and defibrillators.

300,000 Compromised Routers Redirecting Traffic to Attacker Sites

Threatpost for B2B - Mon, 03/03/2014 - 17:32

More than 300,000 small office and home office routers, most in Europe and Asia, were compromised in a campaign that started in mid-December, continuing a rash of security incidents involving home and small business networking equipment.

Researchers at Team Cymru published a report today on the pharming attacks. The attackers are overwriting DNS settings on the devices and redirecting DNS requests to attacker-controlled sites via extensive man-in-the-middle attacks.

Routers from a number of manufacturers, including TP-Link, D-Link, Micronet, Tenda, and others, are involved and victims are concentrated in Vietnam, India, Italy and Thailand. Team Cymru said it notified the affected vendors, none of which responded to its outreach. In addition, the researchers said they had notified law enforcement.

The researchers identified the IP addresses involved: 5[.]45[.]75[.]11 and 5[.]45[.]75[.]36. Since the routers’ primary DNS IP addresses are overwritten in the attacks, the victims are susceptible to denial of service if the attackers’ servers are taken down, Team Cymru said.

The attacks were detected in January on several TP-Link routers redirecting victims to the two IP addresses; the TP-Link routers were not accessible via default passwords, Team Cymru said. Instead, the hackers exploited a cross-site request forgery vulnerability on the devices and a version of the ZyXEL ZynOS firmware that was vulnerable to attacks where a hacker would be able to download a saved configuration file that included admin credentials from a URL in the web interface that did not require authentication.

Team Cymru said it observed more than 300,000 unique IP addresses sending DNS requests to the attack servers, which were acting as open resolvers, thus responding to any external request.

The researchers said in the report that the campaigns are similar to the attacks against a number of banks in Poland recently, but are likely being conducted by separate hacker groups. Poland’s mBank was targeted by similar DNS redirection attacks, which attackers used to steal credentials for online accounts. In those attacks, SMS messages were sent to victims, enticing them to approve transfers to the attackers’ accounts. The IP addresses involved in the mBank attacks were 95[.]211[.]241[.]94 and 95[.]211[.]205[.]5. Unlike the latest router attacks, only 80 or so were observed by Team Cymru.

“The scale of this attack suggests a more traditional criminal intent, such as search result redirection, replacing advertisements, or installing drive-by downloads; all activities that need to be done on a large scale for profitability. The more manually-intensive bank account transfers seen in Poland would be difficult to conduct against such a large and geographically-disparate victim group,” the report said.

Attackers have been targeting home networking gear with relative success for a bit of time now. The most recent incident was the so-called Moon worm identified by the SANS Institute. Moon spread over Linksys home and SMB routers, exploiting a CGI script vulnerability that allowed it to spread over the HNAP protocol used in Cisco devices. It was unclear at the time whether there was a malicious payload, or what kind of command-and-control communication was happening.

“There are about 670 different IP ranges that it scans for other routers. They appear to all belong to different cable modem and DSL ISPs. They are distributed somewhat worldwide),” said SANS CTO Johannes Ullrich said. “We are still working on analysis what it exactly does. But so far, it looks like all it does is spread (which is why we call it a worm “It may have a ‘call-home’ feature that will report back when it infected new hosts.”

Schneider Electric Mitigates Vulnerabilities in OPC Factory Server and Floating License Manager Products

Threatpost for B2B - Mon, 03/03/2014 - 15:34

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) last week issued advisories warning of serious vulnerabilities in Schneider Electric SCADA gear.

Schneider Electric is a supplier of energy management control products that are used in a number of critical industries in North America, including energy, water and wastewater, food, agriculture, and transportation systems.

The company reported two vulnerabilities that could allow attackers to execute malicious code. Product upgrades have been developed by Schneider Electric that mitigate the vulnerabilities.

The first affects the Schneider Electric OPC Factory Server, which provides an interface for client applications that require access to production data in real time. Versions TLXCDSUOFS33 – V3.35, TLXCDSTOFS33 – V3.35, TLXCDLUOFS33 – V3.35, TLXCDLTOFS33 – V3.35, and TLXCDLFOFS33 – V3.35 contain a buffer overflow vulnerability when a malicious configuration file is sampled, the ICS-CERT advisory said.

“When a malformed configuration file is parsed by the demonstration client, it may cause a buffer overflow allowing the configuration file to start malicious programs or execute code on the PC,” the advisory said.

The vulnerability is not remotely exploitable, keeping its severity score down.

“The exploit is only triggered when the demonstration client opens a specially modified sample client configuration file to execute malicious programs or execute code on the PC,” the advisory said.

The second vulnerability, an unquoted service path vulnerability, was found in the Schneider Electric Floating License Manager; it too cannot be exploited remotely, the ICS-CERT advisory said. Versions V1.0.0 through V1.4.0 which is used in five products from the company: Power Monitoring Expert; Struxurware process Expert; Struxureware process Expert libraries; Vijeo Citect (SCADA); and Vijeo Citect Historian.

“This vulnerability could allow attackers to start malicious programs as Windows services,” the advisory said. “When the executable path of a service contains blanks, attackers can exploit this to execute malicious programs.”

The advisory said the exploit is triggered only when a local user runs the vulnerable application and the path contains blanks; to mitigate, service paths in the registry must be surrounded with quotes, ICS-CERT said.

Schneider Electric products using the vulnerable license manager are automatically updated via the company’s update system.

Apple Updates iOS Security Paper with iCloud, Appsec Insights

Threatpost for B2B - Mon, 03/03/2014 - 15:24

Apple rarely offers anyone a glimpse inside its walled-off security garden. The last time it did was in the spring of 2012 when it released a detailed paper on the security of its iOS operating system for iPhones and iPads. The company also presented a much-anticipated if not anticlimactic presentation at the Black Hat Briefings that summer summarizing the high points of the paper.

Now, scant days after the revelation that a stunningly simple coding mistake led to emergency updates for iOS and OS X in order to close a cavernous SSL certificate-validation vulnerability, Apple has released an updated iOS security guide.

The 33-page document explains in a helpful degree of detail the inner workings of iOS system security, encryption and data protection capabilities, network security, device controls, application security and security around its Internet services such as iCloud, iCloud Keychain, iMessage and more.

The application security and Internet services sections are new additions to the paper. The services, in particular, are key hubs for iOS users’ data, not only as it’s shared via messaging applications and services, but at rest in storage services such as iCloud.

Rich Mogull, founder of consultancy Securosis, wrote in an analysis of the paper that this is the first time Apple has shared any level of noteworthy detail on iCloud and said the mechanisms deployed by Apple would make it difficult for intelligence agencies to intercept data such as iCloud Keychain passwords. Keychain allows users to sync passwords between devices running iOS and computers running OS X.

Apple said in the paper that iCloud Keychain and Keychain Recovery services are designed so that passwords are protected regardless if an account has been compromised, whether iCloud is compromised, or third parties have access to user accounts.

The paper describes an elaborate encryption scheme used by iCloud Keychain involving asymmetric cryptography in which the private key signs the public key, yet never leaves the user’s device.

“Each keychain item is sent only to each device that needs it, the item is encrypted so only that device can read it, and only one item at a time passes through iCloud,” Mogull wrote. “To read it, an attacker would need to compromise both the key of the receiving device and your iCloud password. Or re-architect the entire process without the user knowing. Even a malicious Apple employee would need to compromise the fundamental architecture of iCloud in multiple locations to access your keychain items surreptitiously.”

Apple also uses a secure infrastructure for keychain escrow allowing only authorized users and devices to recover a keychain. The escrow records are protected by clusters of hardware security modules, Apple said. Again, another complex series of events, protect the escrow record and ultimately keychain recovery.

The timing of the paper keeps the security of Apple devices in the news a bit longer. Apple’s release on iOS 7.06 late on the afternoon of Friday Feb. 21 corrected a coding mistake that removed SSL certificate checks from iOS—and later it was revealed to affect OS X as well. Attackers who successfully had pulled off a man-in-the-middle attack on the victim’s wireless network could intercept and read communication in clear text because of the goto fail bug as it has come to be known.

In an analysis of the vulnerability, Google expert Adam Langley said a server could send a valid certificate chain to the client and not have to sign the handshake. Langley summarized:

“This signature verification is checking the signature in a ServerKeyExchange message. This is used in DHE and ECDHE ciphersuites to communicate the ephemeral key for the connection. The server is saying ‘here’s the ephemeral key and here’s a signature, from my certificate, so you know that it’s from me’,” Langley wrote in his analysis. “Now, if the link between the ephemeral key and the certificate chain is broken, then everything falls apart. It’s possible to send a correct certificate chain to the client, but sign the handshake with the wrong private key, or not sign it at all! There’s no proof that the server possesses the private key matching the public key in its certificate.”

Four Vulnerabilities Found in Oracle Demantra

Threatpost for B2B - Mon, 03/03/2014 - 15:08

Oracle’s Demantra, part of the company’s Value Chain Planning suite of software, is fraught with vulnerabilities according to several bug disclosures issued over the weekend.

Researchers at the London-based computer security firm Portcullis claim the application is plagued by a four vulnerabilities that could allow an attacker to extract sensitive information, carry out phishing attacks, and modify content within the application, among other attacks.

The first problem, a local file vulnerability (CVE: 2013-5877) in the app could let an attacker harvest useful information from the web.xml configuration file or “download the whole web application source code,” according to a warning published Saturday.

A SQL injection vulnerability (CVE: 2014-0372) in Demantra could allow an attacker to extract authentication credentials and personal details from the app, along with the ability to modify content. From there, if an attacker added malicious code, they could deliver malware or target other exploits in client browsers. The security firm claims modifying content might be a bit more difficult because the attacker would have to execute a “blind” SQL injection attack and request many pages to get it to work, but still says it “does not prevent exploitation.”

A cross site scripting vulnerability (CVE: 2014-0379) in the app’s TaskSender could let an attacker execute script code in an authenticated user’s browser, which could lead to session hijacking.

This might be the most troublesome of all the bugs because it can open up a whole can of worms on top of the session hijacking.

With those credentials an attacker could then access the site as that user and perform actions as them, such as viewing and changing personal data and making transactions. The vulnerability can also be leveraged in a phishing attack in which an attacker can create a fake log-in page and get a genuine user to log in without knowing the site had been compromised.

Portcullis notes that in a worst-case scenario the attacker could even gain full control of a user’s computer if they used the XSS vulnerability to exploit any further vulnerabilities in browsers.

The last big vulnerability, a problem with the app’s backend is something the firm calls a Database Credentials Disclosure vulnerability (CVE: 2013-5795) and can let anyone retrieve the database instance name and corresponding credentials. This means that they could combine this issue with some of the others to steal database credentials.

Oliver Gruskovnjak, the chief technical officer at Portcullis pointed out all the vulnerabilities on Saturday on the company’s site and via seclists.org’s Full Disclosure mailing lists.

All issues are present in version 12.2.1 of Demantra, an analytical engine that Oracle produces that allows its users to keep track of demand management, trade planning and sales/operation planning.

Oracle just patched Demantra in January as part of its quarterly Critical Patch Update (CPU), fixing six bugs in the app, four of which were remotely exploitable without authentication. While Oracle didn’t immediately respond to a request on Monday it’s probably safe to say the company is busy working on patching these issues for its next CPU scheduled for release on April 15.

Blog: CODE BLUE in Tokyo

Secure List feed for B2B - Mon, 03/03/2014 - 04:37
On February 17th (MON) - 18th (TUE), 2014 we were at an event in Tokyo called “CODE BLUE”, a new international information security conference (http://codeblue.jp/) originating from Japan.

Government Requesting Minimal Data From CloudFlare

Threatpost for B2B - Fri, 02/28/2014 - 11:01

CloudFlare claims government requests for user data are affecting fewer than .017 percent of their two million global customers

The Web performance and security company yesterday issued the report in accordance with the Department of Justice’s new regulations for publishing information pertaining to law enforcement requests for user data. While the figure is necessarily a bit off – given that current law bars companies from including specific figures regarding domains affected by National Security Letters (NSLs) – the report suggests that the government has sought information on perhaps as many as 3400 of CloudFlare’s clients.

Their data reflect all requests as of December 31, 2013.

The company says it received 18 subpoenas last year, complying with only one of those requests. Another one request is still in process. The requests pertained to 17 separate domains but only affected one customer account.

CloudFlare says it pushed back on 16 subpoenas, all of which were rescinded. In some instances, the company claims court orders were issued in lieu of the original subpoena. In other cases, CloudFlare was simply not able to provide any information.

The company says it received 28 court orders, complying with 25 such orders. Two of the government requests remain in process. In total, court orders affected 227 domains under 38 customer accounts. For one of these court orders, CloudFlare was incapable of providing any information.

The company says it received three search warrant requests, one of which was eventually rescinded. They only ended up complying with one of the orders, though a second remains in process. The warrants affected four domains under one user account.

“In the rare instances where law enforcement has sought content such as abuse complaints or support communications, CloudFlare has insisted on a warrant for those electronic communications,” the company says. “To date, we have received no such warrants.”

The company received and complied with just one request for a pen register/trap and trace order that affected only one domain under one customer account.

In both 2012 and 2013, CloudFlare claims it received between 0-249 NSLs.

“Even assuming the high end of the range at 249 accounts affected,” the company wrote in its transparency report, “such national security orders would affect fewer than 0.02% of CloudFlare customer accounts.”

Under the new Justice Department rules, companies are allowed to report the reception of NSLs in batches of 250, starting with 0-249. In other words, no company is permitted to say that they received zero NSLs.

The company notes that the new rules are an improvement on the old ones, but “still consider[s] these new regulations to be an undue prior restraint on the freedom of speech.”

CloudFlare is also clear that has never turned over its SSL keys or its customers’ SSL keys to anyone; it’s never installed any law enforcement software or equipment anywhere on its network; it’s never terminated a customer or taken down content due to political pressure; nor has it ever provided any law enforcement organization a feed of its customers’ content transiting its network.

“If CloudFlare were asked to do any of the above,” the company claims, “we would exhaust all legal remedies, in order to protect its customers from what we believe are illegal or unconstitutional requests.”

CloudFlare’s report follows similar ones by AT&T, which received more than 2,000 NSLs, as well as Twitter, and various of the other tech giants, all of which seem to indicate that government requests for user data are on the rise.

Blog: The Future of Bitcoin After the Mt. Gox Incident

Secure List feed for B2B - Fri, 02/28/2014 - 09:00
No doubt it's been a crazy week for anyone even remotely interested in Bitcoin. Mt. Gox, once the largest Bitcoin marketplace out there, has shut down, putting a bitter end to an almost month-long situation in which all withdrawals were halted because of technical issues. As customers were unable to move their funds out from Mt. Gox, the world's most famous exchange essentially became isolated from the rest of the Bitcoin ecosystem, making the Bitcoin price traded on Mt. Gox plummet to as low as $100 for 1 BTC before the exchange went completely offline.

Fixing Trust Through Certificate Transparency

Threatpost for B2B - Thu, 02/27/2014 - 19:26

SAN FRANCISCO–The security of data being transmitted over the Web relies on a large number of moving parts, from the integrity of the machine sending the data, to the security of the browser, to the implementation of encryption, to the fragility of the certificate authority system. Experts have been spending the best part of the last decade trying to address many of these issues, but there are still a number of hard problems to solve.

One of the most difficult of these is the way that users and browsers interact with the CA system and how the CAs handle certificate issuance and attempts to tamper with the system. In the last few years, a number of methods for addressing these issues have been proposed, and some of them show real promise, including the notion of certificate transparency. This is the work of some engineers at Google and the system is designed to provide a public log of every certificate that’s issued. The user’s browser also would receive a proof with each certificate. The logs themselves are append-only and cryptographically assured.

“When implemented, Certificate Transparency helps guard against several types of certificate-based threats, including misissued certificates, maliciously acquired certificates, and rogue CAs. These threats can increase financial liabilities for domain owners, tarnish the reputation of legitimate CAs, and expose Internet users to a wide range of attacks such as a website spoofing, server impersonation, and man-in-the-middle attacks,” Google’s description of the framework says.

The method requires the CAs to cooperate and submit their certificates to these public logs, and that’s one of the things that’s holding up its broad adoption.

“We need to get the CAs to change their behavior so they emit certificates this way,” Chris Palmer, a security engineer on the Chrome team at Google, said in a talk at TrustyCon here Thursday.

Palmer said that among the current proposal to help fix the trust problem online, he believes certificate transparency has the most potential for success. Some CAs have already committed to the idea, including Digicert and GlobalSign, one of the handful of larger certificate authorities in the world. Google is running a certificate log server and there is information available in Chrome on the certificate transparency status of a given site using SSL. Google also has set up a forum that lists certificate pushes and other issues surrounding the system.

But in order for the proposal to gain more steam, more CAs need to participate and agree to publish their certificates in this way. When that happens, it could have a significant effect on finding and revoking malicious or mistakenly issued certificates.

Are Automated Update Services the Next Surveillance Frontier?

Threatpost for B2B - Thu, 02/27/2014 - 16:15

SAN FRANCISCO – As more Web-based services are encrypted, privacy advocates are concerned the next wave of aggressive surveillance activity could target automated update services that essentially provide Internet companies root access to machines.

Chris Soghoian, principal technologist with the American Civil Liberties Union, said today at TrustyCon that current malware delivery mechanisms such as phishing schemes and watering hole attacks could soon be insufficient for intelligence agencies and law enforcement such as the NSA and FBI.

“The FBI is in the hacking business. The FBI is in the malware business,” Soghoian said. “The FBI may need more than these two tools to deliver malware. They may need something else and this is where my concern is. This is where we are going and why I’m so worried about trust.”

Update services from Microsoft such as Windows Update Services have already been exploited in nation-state attacks such as Flame. Flame was a terribly complex attack that made use of collision attack to forge a Microsoft digital certificate to spoof the update service and allow infected computers to receive malicious updates from the phony service.

Soghoian said his concern is that the government will not only exploit the convenience of these update services offered by most large providers, but also that it will erode the trust users have in the services leaving them vulnerable to cybercrime, identity theft and fraud.

“There are really sound security reasons why we want automatic security updates. If consumers have to do work to get updates, they won’t, and they will stay vulnerable,” Soghoian said. “What that means though is giving companies root on our computers—and we really don’t know what’s in the code after fact. This is a point of leverage the government can use. We have no evidence they are using it right now, but these companies have a position of power over our devices that is unparalleled.”

Soghoian provided historical context to back up his overall claim that whatever access the government has to the intelligence is never enough. Going back to the early days of wiretapping 100 years ago, Soghoian said the government and law enforcement has always enjoyed a cozy relationship with telephone companies and today with telecommunications providers. Transparency reports published by Google, Facebook, Twitter, Microsoft and other giant Internet companies offer a window into the number of law enforcement requests these companies get for user data, as well as government requests related to matters of national security.

Soghoian also shared testimony going back as far as 2010 from former FBI general counsel Valerie Caproni, now a U.S. District Court judge in New York, who warned Congress repeatedly about how changes in technology will lead consumers to use Internet services that would be difficult monitor.

Soghoian cautioned that the government could take advantage of existing features in technology to get their way, citing as an example a feature in Google Android phone locks where if a user fails on their pattern to unlock their phone, Android will offer the user a prompt for the Google account credentials synched with the device. Soghoian said through Freedom of Information Act requests, it’s been revealed the government has asked for password resets on particular users in order to access their accounts or devices.

More concerning still is the government’s ability to use a court order to add features that do not exist in products currently. Skype, he said, was served with a directive from the Attorney General to modify its end-to-end encryption capabilities in order to give the FBI access to encrypted communication, something that was revealed in the Snowden documents.

“We still don’t know what Skype did and when, and what law was used,” Soghoian said, adding that Edward Snowden’s secure email provider Lavabit was also served with a similar court order for its SSL keys. Rather than remain complicit, Lavabit closed its doors. If update services are the next surveillance frontier, Soghoian hopes the respective companies remain vigilant, because the APIs used to deliver code can be used to deliver code to specific people.

“I would hope Google would fight that type of order all the way to the Supreme Court. The same goes for Apple and Microsoft and others,” he said. “I hope the companies we depend on and trust would fight.”

Lavabit Case May Be One of Many in Coming Years

Threatpost for B2B - Thu, 02/27/2014 - 16:10

SAN FRANCISCO–The Lavabit case, which saw the secure email provider’s owner shut the company down after being forced to hand over to the government the encryption key that protected his users’ data, may seem like an extreme reaction to a unique situation. But, experts say it’s likely that there will be similar situations in the near future, and technology providers an users should change the way they think about what the threats to their data may be.

The FBI went to Lavabit’s founder, Ladar Levison, last year in the wake of the NSA revelations and demanded access to the encrypted emails of one of its users, Edward Snowden. After a lot of back and forth and legal wrangling, Levison eventually turned over the encryption key that protected the communications of all of his users, and then promptly closed the business. Marcia Hoffman, one of Levison’s lawyers, said that she believes there will soon be other cases like Lavabit.

“I don’t believe that Lavabit is a unicorn,” she said in a talk at the TrustyCon conference here Thursday. “We need to update our threat models. Ladar was worried about data at rest, not data in transmission. The threats are different than we thought. Security and privacy enhancing services are really in the crosshairs. To the extent that you design a service like Lavabit, you should be thinking about how you’re going to deal with government requests.”

Those threats now include not just attackers and cybercriminals, but governments and their lawyers. Hoffman said that the way the government is interpreting surveillance and wiretapping laws now has put technology companies in a difficult position. CALEA, the statute that requires telecom companies and others to help law enforcement agencies with lawful intercept and wiretapping operations specifically didn’t apply to information technology companies, she said.

“The government has taken the position that a service provider has to provide any information that the government wants,” she said. “If you don’t like turning over your keys, you can just backdoor your system. Putting this kind of pressure on Internet companies really flies in the face of what Congress decided.”

The Lavabit case is still wending its way through the court system, as Levison is appealing a contempt of court order against him. Hoffman said that the broader issues related to the case–the use of encryption and the government’s efforts to get at encrypted data–will only become more important in the months and years ahead. And she also warned users not to become too enamored of new, supposedly surveillance-resistant communications services that are springing up.

“If you don’t have a reasonable expectation of privacy in encrypted data, where do you have that expectation?” she said. “We need to stop making promises to users that we don’t know if we can keep, like NSA-proof email. I would be very skeptical of claims like that. I don’t know if anybody can actually make a promise like that.”

Syndicate content