Feed aggregator

Siemens Ruggedcom Addresses BEAST Flaw in WiMax Products

Threatpost for B2B - Wed, 04/09/2014 - 08:00

The BEAST attack on some TLS implementations made major news when it was disclosed, showing that attackers could intercept and decrypt SSL-protected sessions in real time, breaking a significant portion of the confidentiality model of the protocol. Vendors rushed to patch and implement mitigations. That was in 2011. Nearly three years later, Siemens is pushing out a patch for a BEAST vulnerability in its Ruggedcom WIN WiMax platform.

The Ruggedcom WIN line comprises wireless base stations and subscriber stations and are designed to be secure and work in either fixed or mobile environments. On Tuesday, ICS-CERT posted an advisory, warning that several of the WIN products were vulnerable to a BEAST attack.

The flaw lies in the Web interface of the affected products, and Siemens has pushed out a firmware update that addresses the vulnerability.

“The SSL/TLS secured web interface of the affected products is vulnerable to the BEAST attack. As it uses SSL libraries, which are not compatible with 1/n-1 record splitting, some newer browser versions are not able to connect to the web interface,” the advisory says.

“An attacker who successfully exploits a system using this vulnerability may be able to access the session ID of the user’s current web session. If combined with a social engineering attack, the attacker may be able to read traffic exchanged between the user and the device.”

The affected products include WIN7000: all versions prior to v4.4, WIN7200: all versions prior to v4.4, WIN5100: all versions prior to v4.4, and WIN5200: all versions prior to v4.4, the advisory says.

The BEAST vulnerability in these products is remotely exploitable and ICS-CERT said that an attacker with middling skills would be able to exploit it. The update that Siemens released does not technically fix the vulnerability; instead, it enables the Web interface on the affected products to work with modern browsers that contain the BEAST mitigations.


Application Security the Etsy Way

Threatpost for B2B - Wed, 04/09/2014 - 08:00

BOSTON – Etsy is one of the Web’s biggest marketplaces. Its developers may be one of Web’s busiest teams.

Proudly, the vintage and homemade goods online store, will push code to production upwards of 50 times a day. And, according to Kenneth Lee, senior product security engineer, they do so with confidence they’re not going to break the site.

Lee explained during a talk Tuesday afternoon at Source Boston how Etsy has embraced a number of DevOps principles, in particular the marriage of development and monitoring processes, in order to push bug fixes, patches and feature enhancements.

Etsy relies on what it calls Feature Flags, code wrappers that allow security engineers to easily find particular functionality in the code tree, fix it if necessary, and roll it out incrementally to specific segments of Etsy users while determining how it will impact site availability and performance.

“We use them in development, QA and production,” Lee said. “Having code that uses feature flags gives you the ability, from an application security perspective, to easily find where interesting code is being utilized. When new functionality is ramped up to the website and we need to find it, it takes five seconds of grepping to find where it’s being used.”

Particular changes can be rolled out slowly and to certain users, such as to only one percent or 10 percent of buyers or sellers. Adding Feature Flags to old, legacy code also gives security engineers the ability to add logging tags that were previously left off.

“You need to be on top of your logging game to take advantage of Feature Flags,” Lee said. “With old features with no logging in place, when have to write a fix, you can add logging lines so you’ll have that awareness for future alerting and logging purposes.

“We always deploy with confidence,” Lee said. “With Feature Flags, we’re never forced into a scenario where it’s all or nothing when pushing out a security fix. Feature Flags give you the flexibility to make a decision of whether to ramp it up to five percent or 50 percent of users to see if anything breaks.”

The team also wrote a Web-based tool for its developers called Supergrep which calls out any lines of code as they’re logged that could be anomalous. Developers can see these unusual log patterns pop up as changes are made.

“Supergrep gives developers context. By having context, developers can filter out noise in things you expect to see in logs that’s OK versus what’s not OK,” Lee said.

This approach and ability to continue to evaluate a patch as it is rolled out incrementally is crucial because it also helps with deployments of high-priority patches. For example, Lee said, a vulnerability may be rated severe, but if it has not been exploited, there’s time for additional evaluation of logs to determine whether any activity on the network is taking advantage of it.

“It’s a powerful thing to say we can fix it today or wait until Monday at 9 a.m.,” Lee said. “If we write a patch, with Feature Flags, we can push out code and that doesn’t mean it’s on. By having a slow ramp up approach, you get the best of both worlds and ramp up slowly so you don’t take down the whole site.”

Analysis: Financial cyber threats in 2013. Part 2: malware

Secure List feed for B2B - Wed, 04/09/2014 - 06:00
Programs designed to steal e-money and financial data are among the most complicated types of malicious software out there today.

Blog: The omnipresent dad

Secure List feed for B2B - Wed, 04/09/2014 - 05:00

Many websites show different text depending on where the user lives. For instance, home pages of some portals show you the news and weather of your region by default, because you are most likely to be interested in this kind of information first of all.

Blog: Adobe Updates April 2014

Secure List feed for B2B - Tue, 04/08/2014 - 16:38
This month's Adobe Patch Tuesday revolves around Flash.

Last Call for XP, Office 2003 Updates: April Patch Tuesday Fixes 11 Vulnerabilities

Threatpost for B2B - Tue, 04/08/2014 - 15:52

As expected, Microsoft issued its final epitaph for Windows XP today, pushing out four security bulletins for 11 vulnerabilities, including the last updates for the oft-maligned, thirteen-year-old operating system. 

Despite it being XP’s last gasp from a security standpoint, it’s actually a relatively light batch of Patch Tuesday updates this month. Two of the bulletins are branded critical and the other two important, but all of them can lead to remote code execution in their respective software, including recent versions of Word and some versions of Internet Explorer, if left unpatched.

The first critical patch (MS14-017) fixes a zero day first discovered last month in Microsoft Word. The patch fixes three vulnerabilities in total, chief among them the RTF memory corruption vulnerability that’s been discussed in depth over the past month. That bug could open the program up to remote code execution and let an attacker gain administrative rights if a specially crafted RTF file is either opened or previewed in Word or Outlook. Microsoft first warned about the vulnerability – first in an advisory last month, then in a Fix-It – after it discovered limited targeted attacks that used it for a vector in the wild. The exploit for the zero day, rather complex in nature, includes ASLR bypass, ROP techniques and shellcode with multiple mechanisms designed to circumvent analysis. In addition to the memory corruption bug, the patch also fixes two additional vulnerabilities; a file format converter vulnerability in Office and a stack overflow vulnerability in Word.

The Word issue is the only bug being patched today that’s actively being exploited, so naturally experts are calling it the biggest priority of the four for service administrators.

“This continues a trend we’ve seen of Office-based exploits being successfully used in targeted attacks over the past few years,” Marc Maiffret, the CTO of BeyondTrust said Tuesday. “Deploy this patch as soon as possible to fix vulnerabilities in both Word and Office Web apps.”

The second critical patch (MS14-018) also fixes a memory corruption bug, six of them to be exact, in most versions (6-9, 11) of Internet Explorer.  Much like the Word vulnerability if a user were to stumble upon a malicious webpage an attacker could exploit the bug to execute code on the computer in the context of its current user. This vulnerability is one of two that affect components on XP, including IE 6 for those still running XP’s Service Pack 3 and its Professional x64 Edition Service Pack 2.

A previously disclosed file handling vulnerability (MS14-019) was also fixed by today’s updates that could have allowed remote code execution in Windows. If left unpatched an attacker could trick a user to run a specially crafted .bat or .cmd file and gain command. While still important it’s safe to say this vulnerability may be the least dangerous of today’s patches as a user would have to be tempted to execute a batch file on a malicious network share. Still, this is the second issue that could affect users running some outdated versions of XP.

The last patch (MS14-020) addresses a hole that could open a machine up to remote code execution if someone were to open a specially crafted Microsoft Publisher file.

While it may seem minor, Ross Barrett, Senior Manager of Security Engineering at Rapid7, is encouraging any firms that use the software on their system to prioritize the patch.

“I expect anyone who still works with it might actually be gullible enough to click on email attachments of Publisher documents,” Barrett said of the vulnerability on Tuesday.

On top of the two bulletins that affect XP, both the Publisher issue and the Word issue figure into two bulletins that also affect Microsoft Word 2003, the final four updates for both XP and Office 2003.

If somehow you missed it, Microsoft is ending support for XP, Internet Explorer 6 and Office 2003 today, meaning this month’s patches mark the last time the company will issue security updates for these products. While it’s only a scant four bulletins, this makes April’s Patch Tuesday an essential  one for those who rely on the outdated platforms and apps.

It’s assumed many admins are in the process of migrating off of XP – but it’s likely they’ll continue to have their hands full, not just with today’s updates, but also recent updates from Google, Mozilla, Apple and other companies following last month’s Pwn2Own competition.

It’s widely expected that a subset of attackers will ramp up exploits targeting XP after today and potentially examine patches for modern Windows 7 and 8 systems and adapt them to now no-longer supported XP machines.

Learn How to Speak ‘Cyber,’ Even If It Pains You

Threatpost for B2B - Tue, 04/08/2014 - 15:03

BOSTON – The cynical security wonk wouldn’t necessarily lower himself to use the word “cyber” in an elevator pitch about his profession or day-to-day responsibilities. After all, how would that go over in the Twittersphere, or at an industry conference?

At the risk of peer derision, security people frankly need to get over themselves and learn how to communicate the risks and threats businesses face every day in a language society at large speaks. Society speaks “cyber,” for example, and doesn’t’ relate to ideas and processes such as risk assessments, vulnerability management and any other ubiquitous notion in the security lexicon that just doesn’t translate outside the security bubble.

Justine Aitel, the head of cyber risk at Dow Jones, delivered that message during her keynote at Source Boston 2014 Tuesday afternoon. Aitel’s talk was a refreshing take on the echo chamber that plagues security, urging engineers, developers, administrators and researchers alike to escape the insular nature of the industry and foremost, learn how to communicate with the outside world. She spoke of the problem in the context of what she called the participation age, where efforts such as crowdsourcing and crowdfunding have become pervasive and have flipped the balance of power and influence on its head.

“What has the participation age given us? It’s given a voice to the little guy and has brought transparency to the way the big guy works,” Aitel said. “IT risk has not moved into the participation age properly. We have failed to communicate well outside the industry with society at large. Society doesn’t understand what we do.”

Aitel emphasized the need for soft skills beyond just speaking the business’s language.

“We’ve amassed all this secret power and technical capabilities. We know how to start, stop and control systems,” Aitel said. “But with power comes problems. People in positions of power are not known as great communicators and are not known for being willing to evolve.

“If we want our industry to participate, we have to learn how to communicate beyond our industry, change the way we behave, listen, and share,” Aitel said. “Listening is hard, and most of us suck at listening. It sounds so basic, so many are not capable doing this.”

Aitel is a year into her stint at Dow Jones, the parent company of the Wall Street Journal and other media properties. The media industry is in a time of flux and immense competitive pressure, and Aitel said flexibility and agility is key to long-term success. In her position as the enterprise’s top risk evaluator and policy maker, she’s charged with understanding and communicating risk beyond her team’s cubes. Having a spreadsheet of vulnerabilities is a record of risk to the business, but if she cannot explain why a particular CVE is a danger to Dow Jones, she won’t get prioritized development time to get code changes implemented.

“Change code requests are not good enough,” Aitel said. “I have to translate those into business risks. That’s really helped us.”

Aitel also pointed out another shortcoming: the lack of metrics that enable security management to make quick decisions about IT risk. Hiring consultants at a steep cost doesn’t scale when it comes to translating risks beyond vulnerabilities and threats. Again, learning softer skills are a hand-in-hand necessity along with technical chops.

“Our industry rewards people for their strengths. We celebrate vulnerability exploitation or cryptography expertise,” Aitel said. “We don’t celebrate people who work on weaknesses such as communication skills. If we don’t focus on them, we’re not going to be able to reach outside our industry and we won’t stay relevant in the participation age.”

Google Patches 31 Flaws in Chrome

Threatpost for B2B - Tue, 04/08/2014 - 14:55

Google has patched a long list of serious security vulnerabilities in Chrome, including at least 19 highly rated flaws. The company patched a total of 31 vulnerabilities in Chrome 34 and paid out more than $28,000 in rewards to researchers who reported bugs to Google.

Among the security fixes in Chrome 34 are patches for a number of use-after-free vulnerabilities in various components of the browser. Google’s internal security team also discovered quite a few of the vulnerabilities patched in the latest release.

In addition to the security patches, Google introduced a change in Chrome 34 that will allow users to save passwords in the browser even if they have the autocomplete feature disabled.

“As we’ve previously discussed, Chrome will now offer to remember and fill password fields in the presence of autocomplete=off. This gives more power to users in spirit of the priority of constituencies, and it encourages the use of the Chrome password manager so users can have more complex passwords. This change does not affect non-password fields,” Daniel Xie of the Chrome team said.

Here’s the list of public bugs fixed in Chrome 34:

[$5000][354123] High CVE-2014-1716: UXSS in V8. Credit to Anonymous.

[$5000][353004] High CVE-2014-1717: OOB access in V8. Credit to Anonymous.

[$3000][348332] High CVE-2014-1718: Integer overflow in compositor. Credit to Aaron Staple.

[$3000][343661] High CVE-2014-1719: Use-after-free in web workers. Credit to Collin Payne.

[$2000][356095] High CVE-2014-1720: Use-after-free in DOM. Credit to cloudfuzzer.

[$2000][350434] High CVE-2014-1721: Memory corruption in V8. Credit to Christian Holler.

[$2000][330626] High CVE-2014-1722: Use-after-free in rendering. Credit to miaubiz.

[$1500][337746] High CVE-2014-1723: Url confusion with RTL characters. Credit to George McBay.

[$1000][327295] High CVE-2014-1724: Use-after-free in speech. Credit to Atte Kettunen of OUSPG.

[$3000][357332] Medium CVE-2014-1725: OOB read with window property. Credit to Anonymous

[$1000][346135] Medium CVE-2014-1726: Local cross-origin bypass. Credit to Jann Horn.

[$1000][342735] Medium CVE-2014-1727: Use-after-free in forms. Credit to Khalil Zhani.

Blog: Microsoft Updates April 2014 - Office and Internet Explorer Critical Vulnerabilities

Secure List feed for B2B - Tue, 04/08/2014 - 13:58
Absolutely all of the latest versions of Microsoft Word and some versions of Internet Explorer maintain critical vulnerabilities enabling remote code execution. Today, Microsoft releases two critical patches to close multiple vulnerabilities with each. Two important updates are released to address a batch file handling issue and another RCE hole in Microsoft Publisher. All of these are addressed with MS14-014 through MS14-018.

Real-Time, Interactive Map Tracks Global Cyber Threats

Threatpost for B2B - Tue, 04/08/2014 - 10:07

P { margin-bottom: 0.08in; }
-->Information security has become a global problem, and getting a handle on the scope of the threats to users is a difficult task. A new interactive infographic illustrates a variety of cyber threats in real time, as detected by the Kaspersky Security Network (KSN).

The threats are broken down by type into six categories: on-access scans (OAS), on-demand scans (ODS), web antivirus (WAV), mail antivirus (MAV), intrusion detections systems (IDS), and vulnerability scans (VUL). Users can view the statistics for each of these types of threats globally or per country, by clicking on individual countries within the map.

The graphic essentially represents a real-time painting of threats detected by the millions of users and partners around the world that have opted into the company’s distributed infrastructure of threat-intelligence data gathering.

More specifically, threats in the OAS category are those that are triggered when an antivirus program begins scanning malicious objects in the open, run, copy, or save operations. The ODS sub-system is triggered when a user manually scans for and finds a virus. The WAV category contributes to the map when security systems detects a new malicious Web object. The MAV type constitutes those threats that are detected by scanners within user-email systems. When programs detect malicious objects within the network stack, the IDS sub-system is triggered. And the VUL category lights up when a separate vulnerability-based module finds malware targeting known bugs.

Beyond the types of threats detected on a per-country basis, map-viewers can also see where each country ranks in terms of the number of infections detected there. Right now, Russia, Vietnam, India, the United States, and Germany make up the top five most-infected countries in the world. China (6), Indonesia (7), France (8), Kazakhstan (9), and Ukraine (10) round out the rest of the world’s top 10 most-infected country’s per Kaspersky Lab data.


Seriousness of OpenSSL Heartbleed Bug Sets In

Threatpost for B2B - Tue, 04/08/2014 - 10:00

UPDATE–Site operators and software vendors are scrambling to fix the OpenSSL heartbleed bug revealed Monday, a vulnerability that enables an attacker to extract 64 KB of memory per request from a server. Attacks can leak private keys, usernames and passwords and other sensitive data, and some large sites, including Yahoo Mail and others, are vulnerable right now.

The vulnerability exists in OpenSSL 1.0.1f and older versions and the maintainers released a patch for the flaw on Monday. However, now that the details of the vulnerability are public, researchers have begun digging into it and several tools have been published to test various domains to see whether they’re vulnerable. Some high-profile sites, including Yahoo Mail, Lastpass, the OpenSSL site and the main FBI site have been confirmed to leak certain information via the bug. There also is a proof-of-concept exploit for the flaw posted on Github.

Lastpass officials said that they patched the vulnerability Tuesday morning, and that user data was never at risk. The company was running a vulnerable version of OpenSSL, but had other security measures in place that mitigated the risk.

“However, LastPass is unique in that your data is also encrypted with a key that LastPass servers don’t have access to. Your sensitive data is never transmitted over SSL unencrypted – it’s already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers’ encrypted data due to our extra layers of protection. On the majority of the web, user data is not encrypted before being transmitted over SSL, hence the widespread concern,” the company said in a blog post.

“Also, LastPass has employed a feature called “perfect forward secrecy”. This ensures that when security keys are changed, past and future traffic also can’t be decrypted even when a particular security key is compromised. ”

The vulnerability lies in the way that OpenSSL handles the heartbeat extension in the TLS protocol.

A missing bounds check allows an attacker to read up to 64 KB of memory on a machine protected by OpenSSL.

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users,” a description of the vulnerability written by Codenomicon says.

OpenSSL is perhaps the most widely deployed SSL library and appears in a wide variety of applications, including a number of Linux distributions. Red Hat and Ubuntu already have issued patches for the vulnerability.

But the larger problem is that many SSL certificates could be compromised now, as the secret key that protects a given certificate could be disclosed in an attack on this vulnerability. The process of revoking and reissuing those certificates could go on for a long time, depending upon how many organizations realize their sites are vulnerable and how quickly they respond.

“It’s a nightmare vulnerability, since it potentially leaks your long term secret key — the one that corresponds with your server certificate. Worse, there’s no way to tell if you’ve been exploited. That means the prudent thing to do now is revoke your certificate and get a new one. We’ll see how many people do that,” said cryptographer Matthew Green, a professor at Johns Hopkins University.

The vulnerability in OpenSSL appears to have been introduced two years ago. A test site that enables users to enter domains to check their vulnerability status has been up since Monday.

Ivan Ristic, director of application security research at Qualys, said that the OpenSSL heartbleed flaw is potentially quite damaging for many organizations because of the ease of exploitation and the implications of a successful attack.

“This vulnerability is very easy to exploit. It’s very easy to build from scratch (starting with the OpenSSL diff), and there are also several tools that can be downloaded and used, in a matter of minutes,” Ristic said.

“According to the SSL Pulse statistics, about 32% of the servers in that data set support TLS 1.2. Chances are most of them run OpenSSL, and are thus vulnerable. So that’s a very large number of servers. Because this is so easy to exploit, we’re already seeing many attacks. Servers that did not have Forward Secrecy are the most vulnerable, because a serious adversary, who has a recording of the encrypted site traffic, might now be able to easily recover the site’s private key and use it to decrypt traffic retroactively.”

This article was updated on April 8 to include information from Lastpass.

The Muddy Waters of XP End-of-Life and Public Disclosures

Threatpost for B2B - Tue, 04/08/2014 - 06:03

Windows XP security support ends Tuesday and until now, most of the public hand-wringing over XP’s end-of-life has been about the potential for malware outbreaks against unpatched vulnerabilities that have been stockpiled by hackers anxiously awaiting April 8, 2014.

But what about vulnerabilities in XP that have been responsibly shared with Microsoft and won’t be fixed? Those too are perpetual zero-days after Tuesday.

Microsoft has made huge strides in developing trusted relationships with security researchers who are actively submitting bugs to Microsoft across its product lines. For Microsoft’s part, it has done outreach to researchers, clarified disclosure policies and processes and established bounty programs for bypasses of innate Windows mitigations.

And Microsoft isn’t to be faulted for its business decision made long ago to end extended support for XP that includes security patches. Yet the fact remains whatever XP systems remain in circulation after tomorrow will be exposed and that brings up questions, such as: How will white or gray hats respond? For example, will there be a firestorm of public disclosures in the coming weeks?

“I know a subset of people who have disclosed stuff [in XP] to Microsoft that has not been patched, and that’s given what I know. I’m sure there’s more I don’t know of,” said Ross Barrett, senior manager of security engineering at Rapid7. “I wouldn’t encourage researchers to publically disclose their researche because they think that might make Microsoft issue a patch, because that’s not going to happen. The only result is that it would increase the exposure for people at large.

“It’s a muddy bit of water,” Barrett said. “Microsoft has been good about dealing with researchers who have been doing the right thing by following responsible disclosure procedures, but now they’re not seeing action.”

Microsoft did not respond to a request for comment in time for publication.

HP’s Zero Day Initiative, which buys vulnerabilities and exploits from researchers and shares them first with customers and then the affected vendor, has 203 advisories pending public disclosure listed on its website, 54 of which are Microsoft vulnerabilities going back a year. The website doesn’t list the specific Microsoft product affected, but Microsoft has more than any other major vendor on the list.

“I’m sure there’s tons of stuff still out there; some of it is design flaw stuff that Microsoft can’t fix or never got around to it,” Barrett said. “I’m sure there’s a backlog of stuff, but the clock has run out on XP.”

Microsoft has already announced its final XP patch, a fix for a zero-day in Word that will be available Tuesday (Office 2003 support also ends Tuesday). The fear among some experts is that hackers will look at Microsoft security bulletins for vulnerabilities in supported products and trace those back to their potential exploitability in XP.

“Absolutely hackers do that,” Barrett said. “If you’ve got a vulnerability in this file, they’ll track it back to a particular DLL and see that it’s been part of the OS since 2002 and not updated since 2004, they’ll know it’s vulnerable.

“You might see a golden age of XP vulnerabilities for the next four to six months when adoption of XP is still relatively high and countermeasures are no longer in place. Then you’ll start to see it fade as it’s less used.”

Qualys CTO Wolfgang Kandek has been tracking XP use in certain industries through the company’s vulnerability scanner. Financial institutions still have the highest use of XP at 21 percent, followed by transportation at 14 percent (though this has dropped from 55 percent 12 months ago). Retail, another industry run ragged by hackers, is also at 14 percent. Support for Windows XP Embedded, which runs inside a number of consumer and commercial devices in these industries, does not run out until Jan. 12, 2016.

“This is an additional weakness for these (retail) systems,” Kandek said. “There are already problems with remote management, default passwords that work everywhere, a bunch of things that were done to make management easier that were not configured well. This just adds to it.”

Kandek said that roughly 70 percent of vulnerabilities that were patched in 2013 were found in Windows 8 through XP.

“I don’t see why that would stop in May, June or July. Attackers can use that knowledge as pointer into XP to find if a vulnerability exists. It’s an accelerator for them. My feeling is that after two or three months, there will be tools in public that reliably exploit XP. I can definitely see how that would make an attacker’s work much easier.”

Blog: End of the line for Windows XP

Secure List feed for B2B - Tue, 04/08/2014 - 04:50

Support for Windows XP is ending: after today there will be no new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates.

OpenSSL Fixes Serious TLS Vulnerability

Threatpost for B2B - Mon, 04/07/2014 - 16:23

The maintainers of the OpenSSL library, one of the more widely deployed cryptographic libraries on the Web, have fixed a serious vulnerability that could have resulted in the revelation of 64 KB of memory to any client or server that was connected.

The details of the vulnerability, fixed in version 1.0.1g of OpenSSL, are somewhat scarce.

The OpenSSL Project site says that the bug doesn’t affect versions prior to 1.0.1.

“A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server,” the OpenSSL release notes for 1.0.1g say.

The OpenSSL library is deployed in a huge number of operating systems and applications, including a wide variety of Unix and Linux distributions, as well as OS X. Popular Web servers such as Nginx and Apache also are affected. Some major cloud-based applications and platforms, including CloudFlare. That company’s engineers implemented a fix for the OpenSSL vulnerability last week, before the details of the bug were disclosed.

“OpenSSL is the core cryptographic library CloudFlare uses for SSL/TLS connections. If your site is on CloudFlare, every connection made to the HTTPS version of your site goes through this library. As one of the largest deployments of OpenSSL on the Internet today, CloudFlare has a responsibility to be vigilant about fixing these types of bugs before they go public and attackers start exploiting them and putting our customers at risk,” Nick Sullivan of CloudFlare wrote in a blog post.

“We encourage everyone else running a server that uses OpenSSL to upgrade to version 1.0.1g to be protected from this vulnerability. For previous versions of OpenSSL, re-compiling with the OPENSSL_NO_HEARTBEATS flag enabled will protect against this vulnerability. OpenSSL 1.0.2 will be fixed in 1.0.2-beta2.”

The folks at Codenomicon have put together an FAQ on the bug, which they’ve dubbed the Heartbleed vulnerability. Their explanation says that the flaw could enable anyone on the Internet to read the memory of a machine that’s protected by a vulnerable version of the library.

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users,” the description says.

“You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.”

OpenSSL 1.0.1g also includes a fix that addresses a certain variety of side-channel attack.

“The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack,” the CVE entry for the bug says.

New Zeus Variant Comes Complete With a Signed Certificate

Threatpost for B2B - Mon, 04/07/2014 - 14:51

Yet another variant of the Zeus banking Trojan has surfaced; this one comes disguised as an Internet Explorer document and uses an authentic digital certificate to download a rootkit onto infected machines.

According to researchers at the SSL firm Comodo, more than 200 examples of the Trojan have been discovered in the wild so far.

Launched via a simple Man-in-the-Browser (MitB) attack, the Trojan relies on a user either downloading a suspicious attachment in an email or being hit with the exploit. From there the fake IE document goes ahead and does some fairly routine Zeus things like stealing user data entered into web forms, login credentials, and credit card information, in order to perpetuate financial fraud.

What’s interesting is that Comodo claims the bogus IE file is signed with a seemingly legitimate certificate from the Swiss software development firm Isonet AG, something that’s allowed the malware to proceed undetected by antivirus systems.

Once it runs the file copies itself to memory, is executed and rootkit components from two locations are downloaded. The rootkit is decrypted into a driver and installed in the Boot Bus Extender group, making certain it can run before other drivers, something that helps keeps the Trojan even more covert.

“Its purpose is to protect malicious files and auto-run entries from being deleted by user or antivirus software, increasing difficulty of the removal process,” Comodo wrote in a description of the malware last Thursday.

Using fake and stolen SSL certificates has become commonplace among criminals looking to con users and put their machines at risk, it was just a few months ago that a slew of fake certificates were caught masquerading as legitimate ones from services like Facebook, YouTube and iTunes.

In the wake of big name CA hacks like GlobalSign and DigiNotar over the last few years,  Google updated all of its SSL certificates to 2048-bit RSA up from 1024 last fall and is in the midst of limiting certificate validity to 60 months, along with Mozilla, in hopes of preventing further subordinate certificate abuse.

When it comes to certificate abuse, Comodo found itself in the news back in 2011 when it accidentally granted a certificate to an Iranian hacker who went on to issue himself a handful of valid certificates for Google, Yahoo, Skype, Mozilla, and others domains. Comodo was quick to revoke the fraudulent certificates and deploy additional audits and controls to combat future incidents.

Crypto Model Based on Human Cardiorespiratory Coupling

Threatpost for B2B - Mon, 04/07/2014 - 14:21

P { margin-bottom: 0.08in; }A:link { }
-->A novel and theoretical encryption scheme inspired by new insights into the way that the human heart and lungs communicate is said to be substantially different than existing crypto-methods and highly resistant to conventional attacks.

The research was undertaken and published by Professors Tomislav Stankovski, Peter McClintock, and Aneta Stefanovska from the Department of Physics at the United Kingdom’s Lancaster University.

“Here we offer a novel encryption scheme derived from biology, radically different from any earlier procedure,” said Stankovski. “Inspired by the time-varying nature of the cardio-respiratory coupling functions recently discovered in humans, we propose a new encryption scheme that is highly resistant to conventional methods of attack.”

Under this new cryptographic scheme, the sender’s communications would be encrypted as time variations of coupling functions from a pair of dynamical systems. These encrypted communications would then travel to and be decrypted by a second pair of identical dynamical systems using the same coupling functions. This, the researchers explain, is analogous to the way in which the human heart and lungs work to communicate with one another.

According to an introduction to the concept posted by the Computer Science Department at Brown University, “Dynamical systems are mathematical objects used to model physical phenomena whose state (or instantaneous description) changes over time. These models are used in financial and economic forecasting, environmental modeling, medical diagnosis, industrial equipment diagnosis, and a host of other applications.”

For a bit of context, the researchers explain that a recent discovery in the field of biology demonstrated that cardiorespiratory coupling functions can be broken down into a number of independent functions and that those functions are of a time-varying nature. In other, simpler words: these coupling functions can essentially be deconstructed and used as ciphers.

“As so often happens with important breakthroughs,” said Professor Stefanovska, “this discovery was made right on the boundary between two different subjects – because we were applying physics to biology.”

These findings, they explain, result in complicated biomedical functions that can be applied to the production of efficient and modular secure communications.

“The use of coupling functions in this way confers an unbounded number of encryption possibilities,” the researchers wrote in a popular summary of their work. “We demonstrate that the scheme enables more than one signal to be transmitted/received simultaneously and that it is exceptionally robust against external noise.”

Using coupling functions instead of standard cryptographic methods increases security by offering a greater degree of freedom in the encryption process without changing the qualitative state of the system. Thus, the researchers believe their method is a significant conceptual advance to the field of cryptography.

Furthermore, the scheme, the researcher claim, is highly modular, which enables it to be implemented in a wide array of different applications and communications protocols.

“This promises an encryption scheme that is so nearly unbreakable that it will be equally unwelcome to internet criminals and official eavesdroppers,” McClintock claims.

The advantage here, the researchers write, is that the new method offers an infinite number of choices for the secret encryption key shared between the sender and the receiver. This makes it virtually impossible for hackers and eavesdroppers to crack the code.

“Unlike all earlier encryption procedures, this cipher makes use of the coupling functions between interacting dynamical systems,” the researchers wrote. “It results in an unbounded number of encryption key possibilities, allows the transmission or reception of more than one signal simultaneously, and is robust against external noise. Thus, the information signals are encrypted as the time variations of linearly independent coupling functions.”

You can read a PDF version of their short but dense paper here and view a diagram illustrating how their method works below:

Crypto Model Based on Human Cardiorespiratory Coupling

Connecting the Dots Between Cookies and Identities

Threatpost for B2B - Mon, 04/07/2014 - 13:23

A team of computer science engineers from Princeton have released a paper that explains how an adversary with a passive presence on a network or Internet backbone could track individuals by observing HTTP cookies.

The motivation for the project was news in December that the National Security Agency had the capability to access Google’s PREF cookies to conduct surveillance on individual targets. PREF cookies are preferences cookies that websites reference to learn a user’s preferred language for localization purposes and other personalization features.

Since much isn’t known in detail about how the NSA gathers PREF cookies, the Princeton team decided to take more of a high-level approach with their experiment in order to connect the dots between the cookies that are dropped on a user’s machine as they surf the Web in order to establish their real-world identity.

Assuming an adversary, whether a criminal or intelligence agency, has a presence on the network, the working premise here is that the first- and third-party cookies dropped by sites and advertisers can be used to tie a user to web traffic without having to worry about dynamic IP addresses,” said the paper, “Cookies that give you away: Evaluating the surveillance implications of web tacking,” written by Dillon Reisman, Steven Englehardt, Christian Eubank, Peter Zimmerman, and Arvind Narayanan. Also, HTTPS doesn’t seem to be an issue in this case because, the paper said, many websites where users are logged in may already reveal their identity in plain text.

“Thus, an adversary that can wiretap the network can not only cluster together the web pages visited by a user, but can then attach real-world identities to those clusters. This technique relies on nothing other than the network traffic itself for identifying targets,” the paper said. “Even if a user’s identity isn’t leaked in plaintext, if the adversary in question has subpoena power they could compel the disclosure of an identity corresponding to a cookie, or vice versa.”

The paper illustrates the researchers’ theory. The attacker passively monitors a user’s web traffic. Each time a user lands on a webpage, cookies are dropped, but the adversary is unable to begin connecting those dots until there are more than two sites visited.

“The unique cookie from X connects A and C while the one from Y connects B and C. We assume here that the user has visited pages with both trackers before so that cookies have already been set in her browser and will be sent with each request.”

The experiment modeled user behavior online, a supposition that a user visits up to 300 websites during a two-three month period, and looks for components that will connect users to their identity. The paper said that 90 percent of visits are able to be clustered in this way.

“It applies even if the adversary is able to observe only a small, random subset of the user’s requests,” the paper said. “We find that on average, over two-thirds of time, a web page visited by a user has third-party trackers.”

The researchers also learned that 60 percent of the top 50 Alexa websites transmit identifying information in plaintext, such as a user’s name or email address, once a user is logged in, greatly enhancing the experiment’s chances of success.

An attacker interested in monitoring the web activities of a target or set of targets can scan for identity information in the plaintext HTTP traffic or target the cookie ID from a first-party page, the paper said. The researchers said this starting point enables the attacker to “transitively” connect the first-party cookie to other first- and third-party cookies to tie an identity to a cluster of traffic.

“We hope that these findings will inform the policy debate on both surveillance and the web tracking ecosystem,” the paper said. “We also hope that it will raise awareness of privacy breaches via subtle inference techniques.”

Syndicate content