What the "FREAK" !!!

Another new widespread and disastrous SSL/TLS vulnerability has been uncovered that for over a decade left Millions of users of Apple and Android devices vulnerable to man-in-the-middle attacks on encrypted traffic when they visited supposedly 'secured' websites, including the official websites of the White House, FBI and National Security Agency.

"FREAK"vulnerability (CVE-2015-0204) - also known as Factoring Attack on RSA-EXPORT Keys - enables hackers or intelligence agencies to force clients to use older, weaker encryption i.e. also known as the export-grade key or 512-bit RSA keys.

FREAK vulnerability discovered by security researchers of French Institute for Research in Computer Science and Automation (Inria) and Microsoft, resides in OpenSSL versions 1.01k and earlier, and Apple's Secure Transport.

Back in 1990s, the US government attempted to regulate the export of products utilizing "strong" encryption and devices were loaded with weaker "export-grade" encryption before being shipped out of the country.

At that time, it was allowed a maximum key length of 512 bits for "export-grade" encryption. Later in 2000, with the modification of the US export laws, vendors were able to include 128-bit ciphers in their products and were able to distribute these all over the world.

The only problem is that "export-grade" cryptography support was never removed and now three decades later, FREAK vulnerability make it significantly easier for hackers to decode the website’s private key and decrypt passwords, login cookies, and other sensitive information from HTTPS connections.

Assistant Research Professor Matthew Green of Johns Hopkins University's Information Security Institute in Maryland write in his blog post detailing how a hacker could perform MitM attack:

In the client's Hello message, it asks for a standard 'RSA' ciphersuite. The MITM attacker changes this message to ask for 'export RSA'.The server responds with a 512-bit export RSA key, signed with its long-term key.The client accepts this weak key due to the OpenSSL/Secure Transport bug.The attacker factors the RSA modulus to recover the corresponding RSA decryption key. When the client encrypts the 'pre-master secret' to the server, the attacker can now decrypt it to recover the TLS 'master secret'.From here on out, the attacker sees plain text and can inject anything it wants.
A scan of more than 14 million websites that support the SSL/TLS protocols found that more than 36% of them were vulnerable to the decryption attacks that support RSA export cipher suites (e.g.,TLS_RSA_EXPORT_WITH_DES40_CBC_SHA).

Cracking a 512-bit key back in the '90s would have required access to supercomputers of that time, but today, it can be done in seven hours and cost nearly $100 per website only.

It is possible to carry out FREAK vulnerability attack when a user running a vulnerable device — currently includes Android smartphones, iPhones and Macs running Apple's OS X operating system — connects to a vulnerable HTTPS-protected website. At the moment, Windows and Linux end-user devices were not believed to be affected.

Security researchers are maintaining a list of top vulnerable websites and encourage web server administrators to disable support for export suites, including all known insecure ciphers, and enable forward secrecy.

Google said an Android patch has already been distributed to partners. Meanwhile, Google is also calling on all websites to disable support for export certificates.

Apple also responded to the FREAK vulnerability and released a statement that, "We have a fix in iOS and OS X that will be available in software updates next week."

Safe guarding Payment Card industry

The twentieth century U.S. criminal Willie Sutton was said to rob banks because “that’s where the money is.” The same motivation in our digital age makes merchants the new target for financial fraud. It’s a serious problem.

Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including point-of-sale devices; personal computers or servers; wireless hotspots or Web shopping applications; in paper-based storage systems; and unsecured transmission of cardholder data to service providers. Compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) helps to alleviate these vulnerabilities and protect cardholder data.

PCI DSS and related security standards are administered by the PCI Security Standards Council (PCI SSC), which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Participating Organizations include merchants, payment card issuing banks, processors, developers and other vendors.

There are three ongoing steps for adhering to the PCI DSS:

Assess — identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data.

Remediate — fixing vulnerabilities and not storing cardholder data unless you need it.

Report — compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card brands you do business with.
 
PCI Security Standards Include following area

PCI Data Security Standard (DSS):

The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.

PIN Transaction Security (PTS) Requirements:

The PCI PTS (formerly PCI PED) is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC

(www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php).

 

Payment Application Data Security Standard (PA-DSS):

The PA-DSS is for software developers and integrator of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC.

Validated applications are listed at:

www.pcisecuritystandards.org/approved_companies_providers/validated_payment_applications.php

 

You don't have to wait until you're attacked to take cybersecurity seriously !!

According to "Global Megatrends in Cyber security 2015 survey" commissioned by Raytheon and Ponemon Institute of 1,006 global cyber security CIOs, CISOs and senior IT leaders found a lack of resources and a critical disconnect between CISOs and senior leadership are preventing companies from addressing the growing cyber security threats.

A majority of respondents (78 percent) said their Board of Directors has not been briefed on their organization's cyber security strategy in the last 12 months. In addition, 66 percent of respondents believe senior leaders in their organization do not perceive cyber security as a strategic priority.
Among the findings were also some signs of optimism, as a majority of those surveyed believe cybersecurity awareness through training will improve over the next three years. The survey of information security professionals from across the globe further indicated that most security professionals expect their organization's cyber posture to improve during that same timeframe.

Other key findings include:
1) Less than half of respondents (47 percent) believe their organizations take appropriate steps to comply with the leading cybersecurity standards.

2) Only one-third of those surveyed believe their organizations are prepared to deal with the cybersecurity risks associated with the Internet of things (IoT) and the proliferation of IoT devices.

3) Fewer than half of all respondents (47 percent) say their organizations have sufficient resources to meet cybersecurity requirements.

4) Two-thirds (66 percent) of those surveyed indicated their organizations need more knowledgeable and experienced cyber security practitioners.

5) Nearly half (47 percent) of respondents believe zero-day threats will become one of the most prevalent cyber threats.

6) More than one-third (35 percent) believes attacks on critical infrastructure will become one of the world's five most prevalent threats.

7) Senior IT leaders see the use of virtual currencies as a low risk to their organizations today but becoming a very high risk to their organizations in the future.

8) Surveyed CISOs believe that when it comes to cybersecurity, the three most important technologies in the future will involve big data analytics, forensics and next-gen firewalls.

"You don't have to wait until you're attacked to take cybersecurity seriously," said Jack Harrington, vice president of cybersecurity and special missions at Raytheon Intelligence, Information and Services. "From the board room to the President's desk, rallying around the cybersecurity issue is critical to address the real threats we face as a global society."

Superfish-like Vulnerability on Facebook apps

'SuperFish'  a advertising software recently found pre-installed on Lenovo laptops. It affected dozens of consumer-grade Lenovo laptops shipped before January 2015, exposing users to a hijacking technique by sneakily intercepting and decrypting HTTPS connections, tampering with pages and injecting advertisements.

Lenovo just released an automated Superfish removal tool to ensure complete removal of Superfish and Certificates for all major browsers.

And now, Facebook has discovered at least 12 more titles using the same HTTPS-breaking technology that gave the Superfish malware capability to evade rogue certificate. The researcher also says that Facebook discovered more than a dozen software applications other than Superfish that use the same Komodia library that gives the Lenovo-spawn its certificate-hijacking powers.

The operators listed in the post are as follows:

1) CartCrunch Israel LTD
2) WiredTools LTD
3) Say Media Group LTD
4) Over the Rainbow
5) Tech System
6) Alerts Arcade Giant
7) Objectify Media Inc
8) Catalytix Web Services
9) Optimizer Monitor

Superfish uses a technique known as "SSL hijacking", appears to be a framework bought in from a third company, Komodia, according to a blog post written by Matt Richard, a threats researcher on the Facebook security team. The technique has ability to bypass Secure Sockets Layer (SSL) protections by modifying the network stack of computers that run its underlying code.

Komodia installs a self-signed root CA certificate that allows the library to intercept and decrypt encrypted connections from any HTTPS-protected website on the Internet. The company’s SSL Decoder like Superfish and other programs are present in numerous other products as well.

In 2012, the Social Network giant started a project with researchers from Carnegie Mellon University in order to measure how prevalent SSL man-in-the-middle (MitM) attack are​.

The team found that various deep packet inspection (DPI) devices were making use of the same private key across devices, which an attacker can easily exploit to extract the key from any single device.

The researchers said that the Komodia library can be easily detected as the software that installs the root CA contains a number of easily searchable attributes that enable the team to match up the certificates they see in the wild with the actual software.

Google releases Clouds based Web App Vulnerability Scanner and Assessment Tool

Google on Thursday unleashed "Google Cloud Security Scanner". A web application vulnerability scanner tool, that will potentially scan developers' applications for common security vulnerabilities on its cloud platform more effectively.

Google Cloud Security Scanner in beta which allows App Engine developers to regularly scan their applications for two  common security vulnerabilities Google App Engine developers face:

1) Cross-Site Scripting (XSS)
2) Fixed Content Scripts

While Google Cloud Security Scanner will be easier for web application developers to use.  Google says these website vulnerability scanners are typically hard to set up and "built for security professionals," not for web application developers that run the apps on the Google App Engine.

Today, common HTML5 and JavaScript-heavy applications are more challenging to crawl and test, and Google Cloud Security Scanner claims to take a novel approach by parsing the code and then executing a full-page render to find more complex areas of a developer's site.

The developers can access the Cloud Security Scanner under Compute > App Engine > Security inGoogle's Developers Console. This will run your first scan. It does not work with App Engine Managed VMs, Google Compute Engine, or other resources.

Google notes that there are two typical approaches to such security scans:

Parse the HTML and emulate a browser –This is fast; however, it comes at the cost of missing site actions that require a full DOM or complex JavaScript operations.

Use a real browser – This approach avoids the parser coverage gap and most closely simulates the site experience. However, it can be slow due to event firing, dynamic execution, and time needed for the DOM to settle.

Google Cloud Security Scanner uses Google Compute Engine to dynamically create a botnet of hundreds of virtual Chrome workers that scan at a max rate of 20 requests per second, so that the target sites won’t be overloaded.
The Google still recommended developers to look into manual security review, just to be on the safer side. However, the company hopes its vulnerability scanner tool will definitely provide a simple solution to the most common App Engine issues with minimal false positives.

CARBANAK BANKING MALWARE IN THE WILD - Hackers Stole $300 Million from 100 Banks Using Malware.

According to a report published by the New York Times on Saturday, hackers have stolen as much as $1 Billion from more than 100 banks and other financial companies in almost 30 nations, making it "the most sophisticated attack the world has seen to date."

In late 2013, banks in Russia, Japan, Europe, the United States and other countries fell victim to a massive, sophisticated malware hack that allowed the hackers to spy on bank officials in order to mimic their behavior, according to an upcoming report by Kaspersky Labs received by the NY Times.

In order to infect bank staffs, the hacker group sent malicious emails to hundreds of employees at different banks. Once open, the email downloads a malware program called Carbanak, that allegedly allowed perpetrators to transfer money from the banks to fake accounts or ATMs monitored by criminals.

The exact figure of the stolen amount is unclear, though, total theft could be more than $300 Million. Because, the hackers only swiped $10 million at a time and some banks were targeted more than once.
However, the Kaspersky Labs does not name the banks and financial institutions involved in the massive theft operation in its report. But, the interesting part is that no banks have come forward to reveal that they have been hacked in this largest theft.

Be Safe…Stay Secure from CTB Locker.

A new variant in the Ransomware family referred to as CTB Locker is spreading fast. Ransomware is malicious software that denies you access to your computer or files until you pay a ransom. The malware encrypts file/s on your computers and may lock your screen, making your computer completely useless and inaccessible. The malware is getting circulated mostly through the mode mentioned below:

1. The user gets an e-mail containing an attached .zip file meant to arouse curiosity, inviting the user to click on it. The .zip file contains a Trojan.
2. After being opened, it infects the computer and initiates encryption of files. If the user is using network shares, the malware will try to encrypt mounted devices as well.
3. If the user tries to access files, the CTB Locker prompts the user with a ransom notice for unlocking the computer, with a timer showing the time left to pay the ransom.

Presently, there is no known way to break the encryption used by the CTB Locker and recover the files; you may lose the information permanently!

It is a high severity infection and hence, you are requested to follow the following safe-computing practices, diligently:

1. Do not click on unsolicited web links in email messages.
2. Use caution when opening email attachments.
3. Maintain up-to-date anti-virus software.
4. Keep your operating system and software up-to-date with the latest patches.

If you suspect that your computer has been infected or is displaying any of the above-mentioned signs, please follow the instructions given below:

1. Disconnect the infected computer from the network (wireless or wired) immediately.
2. Don’t pay the ransom money. Your computer may still be at risk even after you pay the ransom and have it unlocked by the perpetrator.
3. Change all passwords after the malware has been removed from your system.