How To Detect Heartbleed Mutations

Recently, security patches have been implemented on servers affected by Heartbleed. Heartbleed is the biggest security exploit affecting industries to date. It allowed access to memory contents of a connected client or server. About 66% of websites using OpenSSL are now potential targets. The biggest concern for security managers is not fixing Heartbleed but variations of the bug that have come up. There is hundreds and possibly thousands of variants that the patch will not address. This could lead to a false sense of security. Security patches close security holes in a product, however, attack mutations do not fall within the scope of the patch. In order to prevent this tests must be conducted to defend against mutations.

In order to test for the Heartbleed mutation a full analysis of the servers SSL stack must be performed. This will narrow the number of possibilities to a finite list of breech points. In the case of a vulnerability, the SSL client had the ability in the Heartbeat response to request greater than 64k bytes of data. A fuzzer would be able to test this scenario and find the vulnerability by using OutofBounds method. Once the holes are found they should be patched then retested to measure if more holes open. To gain assurance one-arm stateful SSL/TLS testing should be used. Two arm simulations will not test your networks vulnerability to attack. SSL/TLS fuzzing will test mutation holes exhaustively. Exhaustive testing treats the device under test (DUT) as a system that allows interaction with the system in one-arm mode. One-arm exhaustive testing exposes DUT to more coverage and reduces the chance of exploitation.

Finding, fixing, and scanning vulnerabilities needs to be an iterative process. IT teams can take control of their network security with proactive and progressive testing. By finding the mutations early there is a possibility for prevention. Preventing a Heartbleed mutation will be beneficial to all people. It will also allow for a secure web server with no fear of information being leaked.

http://www.darkreading.com/how-to-detect-heartbleed-mutations/d/d-id/1234812?

IBM, Intel, Microsoft, Facebook, Google, and etc. fund OpenSSL

Open source software secures thousands of Web servers and products sold by multi-billion-dollar companies while operating on a small budget. OpenSSL typically recieves $2,000 in donations with only one employee operating the open source code full time. With this information it should be of no surprise how a security flaw exposed user passwords and private encryption keys used to protect websites. This flaw became known as the Heartbleed virus. 

Unlike other open source projects such as Linux operating system kernal, OpenSSL does not have the support of firms spending large amounts of their employers’ time writing code. However, the Linux Foundation wishes to change this. They are proposing a three year initiative with $3.9 million to help under-funded open source projects. Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Mircrosoft, and other companies have pledged to provide $100,000 a year for three years. This money will go to multiple open source projects with OpenSSL receiving a portion of the funding. Because Heartbleed inspired the campaign, OpenSSL will be the first to recieve funds from the initiative. They will receive funding for key developers and resources to improve security and improve responsiveness to patch requests. The Linux foundation believe these open source developers should be their own bosses regardless of funding.

If the companies had donated money earlier the Heartbleed vulnerability could have been contained to Web servers without affecting other products. According to Marquess, OpenSSL should have a team of members instead of just one so they can concentrate on the care of OpenSSL. Donations have increased since Heartbleed. Many OpenSSL Software Foundation consultants have also agreed to work with commercial customers for $250 an hour. This money may benefit consultants but doesn’t help improve OpenSSL for all users. For OpenSSL team members not having any other employment this contract work is their only source of income. OpenSSLs lack of accepting code contributions attributes to their lack of resources. Zemlin has stated that they must figure out which open source projects are crucial to the Internet and users to make good use of the money.  

Its good to see companies taking the initiative to fund OpenSSL. However, had they funded it earlier Heartbleed would not be as huge as it is now. From the impression of reading this article many companies do not take security as seriously as they should. This vulnerability finally brought security to center stage and alerted companies to its dangers. The money being donated will help but it can only go so far. If money allows for new people to join the team some progress can be made. However, if the money is just going to the same people who already deny code resources from other people, vulnerabilities may still be prevalent.

 

http://arstechnica.com/information-technology/2014/04/tech-giants-chastened-by-heartbleed-finally-agree-to-fund-openssl/

Phishers Recruit Home PCS

Recently, many phishing sites have been found to be hosted on personal computers or residential broadband customers. Attackers accomplish this task by exploiting the home computers of residential customers who have the Remote Desktop Protocol service enabled on Microsoft Windows. Many phishing sites hosted on compromised home PCs have a longer lifespan than other hosting environments because ISP’s have little control over home computers connected to broadband networks. 

Attackers begin the process of compromising residential computers by scanning residential service IP address space for open ports or weak passwords. Once they have access to the system they install web server software and upload phishing pages through spam messages. RDP servers listen to port 3389/tcp by default, but it is turned off by default on Windows desktops. Only 1 to 2 percent of people have RDP turned on. PhishLabs surveyed Class B network blocks in residential customers and looked at three ISPs with the most phishing sites. These researchers were looking at spots that phishing crews may have scanned. Of 180,000 hosts they examined, approximately 1.5 percent of them had RDP ports open to the Internet. 

Due to the number of phishing sites up they estimate that phishers have been scanning 1.5 million computers on the affected networks each month. Once inside the network attackers install the PHP Triad software and upload phishing pages targeting various North American financial institutions. With lack of direct access to customer’s machines Internet service providers cannot shut down these sites. Currently, the crew behind the attacks seem to only be interested in phishing as no evidence of malware has been detected. This type of attack takes advantage of weak passwords and open ports. The use of home networks allows for a lack of detection and a better way for attackers to target people. This information should be used to help educate Internet Service Providers on methods to prevent this occurrence.

http://www.darkreading.com/attacks-breaches/phishers-recruit-home-pcs-/d/d-id/1204571?

FBI Facial Recognition Software

The FBI is currently putting together a database of photos of individuals identified through facial recognition technology. This includes both criminal and non-criminal records. The system will query a database of photos to identify individuals based on appearance. The Electronic Frontier Foundation received documents related to the system following a Freedom of Information Act requesting details on the FBI’s Next Generation Identification project. This data may hold information on as many as a third of all Americans. The NGI database contains over 100 million records of fingerprints, retinal scans, and palm prints. Faces along with information on name, age , race and address are expected to be a part of the database as well. Federal agencies as well as 18,00 local, tribe, and state law enforcement agencies in the US will have access to this database.

By next year, the system will include 52 million photos to identify people. 46 million of these images will come from criminal images while 4.3 million come from civilian images and 215,000 from the Repository for Individuals of Special Concern. Jobs that require a background check or fingerprinting will also send that information to the FBI to be part of its database.  The FBI do not make clear where the other millions of images would come from. They have indicated that 750,000 images will come from a “Special Population Cognizant” category and 215,000 from “new repositories.” This poses a concern because its unclear where the data comes from, how the images are collected, who has access to them, and how they impact privacy.

In the past, the FBI has never linked the criminal and non-criminal database.  As a result the EFF says, “even if you’ve never been arrested for a crime, if your employer requires you to submit a photo for a background check, your face image could be searched and you could be implicated as a criminal suspect just by having the image on file.” Several states are sharing and accessing this data through NGI. FBI documents suggest that the search is intended as an “investigative lead” rather than identifying a person as a suspect.

The FBI states that the person being recognized will be returned in the top 50 candidates 85 percent of the time. It isn’t clear what happens if the “true candidate” does not appear in the results. These results pose a problem as innocent people could be placed under investigation because the software determines they have similar appearances to criminals. This carries a high possibility for false results and suggesting people as suspects for crimes they didn’t commit. There are restrictions as to the type of images being included in the system. This includes photos from social network sites. One of the biggest concerns include the use of the database to identify faces in a crowd. This poses a threat to privacy and speech for people engaged in political protests.

Facial recognition technology has the potential to improve services for consumers, businesses, and identification and authentication online. However, there should be concerns about false arrests or imprisonment since this data will be used to prosecute criminals. In some extreme cases NGI could make law enforcement pull a suspect’s friends and acquaintances into an investigation. There is also potential for the software to misinterpret an image and provide false data since most images being rendered are low quality

http://www.foxnews.com/tech/2014/04/16/massive-fbi-facial-recognition-database-threat-to-privacy-group-says/

http://www.technewsworld.com/story/FBI-May-Pick-Out-Your-Face-in-a-Crowd-80306.html

http://www.theverge.com/2014/4/14/5613928/fbi-facial-recognition-database-will-contain-52-million-images-by-2015

Social Engineering Growing Up

During the DEF CON Social Engineering contest in Vegas contestants will be assigned a teammate where they call targeted corporations. Organizer of the contest, Christopher Hadnagy  said contestants must reveal as much information on a company as they can from the call recipient. Contestants may use “flags” such as type of browser they are using to the name of their cleaning service. The caller needs the recipient to hand the call to his manager of other colleague to provide legitimacy for the call. This type of exploit is becoming more common by social engineers. Many of them now use phishing followed by voice-mail to add a level of authenticity. Michele Fincher, chief agent at Social-Engineer. org, and former psychology professor, points out a phishing campaign that spoofed Verizon’s tech support number. Victims were sent to malicious websites by using calling, emailing, and using legitimate-looking websites.

Social-Engineer.org launched their website to provide better resources about social-engineering to a variety of people. Social engineering is becoming more common around the world and their site helps to educate people. Many law enforcement officers, senior managers, and professors have begun using this site and are taking classes about social engineering. Contestants looking to join this contest must submit a video showcasing their social engineering talents. Contestants chosen for this contest research their target corporation using open-source information. Many corporations such as AT&T, Target, Mobil, Walmart, and etc. have been targeted. Fortune 500 corporations have yet to be targeted by the contest according to officials. Kevin Mitnick, social engineering extraordinaire, attends these contests and provides a talk at the end.

Its quite interesting how a contest is being used as a way to raise awareness for the dangers of social engineering. Targeted companies have the opportunity to find flaws within their organization and better address the issue of social engineering to employees. This also allows them to implement training to help assess when an attack is occurring. The contest shows how easily information can be breached and exploited. I believe countermeasures should be implemented to help prevent phishing. People should also be aware of the information they publicly display. In order for progress to be made against phishing, people must be more educated and informed on the subject.

http://www.darkreading.com/informationweek-home/social-engineering-grows-up/d/d-id/1204252?

Iranian Cyberattacks On The Rise

In 2013 a number of political attacks against companies across the world ensued by hackers. With cyberespionage and attacks on the US usually focused on China, recent activities link to Iran and Syria. Iran is suspected to be behind the August 2012 malware infections that targeted two energy companies. Industry observers assume that the Iranian government sponsored the attack after their nuclear facility was infected by the Stuxnet virus. The energy attack was one of many attacks suspected to be done by Iranian-based hackers. Compared to China the attacks appear less sophisticated because of the use of publicly available tools.These hackers were able to compromise a network without relying on a its outdated vulnerabilities. Although these hackers have compromised the network no indications show what their end goals were.

The Syrian Electronic Army (SEA) on the other hand has the goal of obtaining the public’s attention. Since 2011 this group compromised more than 40 organizations, specifically websites and social media accounts of agencies in the west. The group used two tactics to gain access to these organizations. It included sending phishing emails from internal accounts and compromising service providers. Analysts believe that SEA will continue these attacks in order to increase publicity towards their support for Syrian president Bashar al-Assad. This group has increased fear of cyber attacks among governments and corporations. According to reports, during 2012, attacks on media and entertainment companies rose to 13%. From the New York Times breach to other organizations coming forth with their incidents, 2013 has been a crazy year for the cybersecurity industry.  In order to bring cyber-attacks to the worlds attention, President Obama discussed his concerns about cyber-attacks during his State of the Union address.

Cyber-attacks are becoming a very huge issue as many news stories about attacks are becoming prominent around the world. Many companies as well as everyday individuals are the target of cyber attacks. This is such a huge concern because companies are at risk of private information being stolen. This includes client information as well. Although security measures are slowly increasing in order to prevent attacks, hackers are also improving their skills.  I believe that this trend will persist and these attacks present a prominent issue in the way things are run (i.e. business, communication, and etc.).

http://www.darkreading.com/infrastructure/iranian-based-cyberattack-activity-on-the-rise-mandiant-report-says/d/d-id/1204405?

Stop these criminals!

The cyber criminals who stole 40 million card accounts from Target did so by infiltrating their network. Target blocked outband paths on its POS which caused hackers to set up command inside the network. With access to the network they were able to siphon and ship out data to their machines. However, analysts believe that there were ways to slow, track, of even stop the attacks before they happened. By closing unnecessary conduits and becoming familiar with the normal procedures of their network they could have spotted the outliers.

Cris Ewell, chief information security officer at Seattle Children’s Hospital states that a good incident response plan can go a long way way in the event of a breach. By using this strategy they can find holes in their network and close any unnecessary ports. This hospitals internal systems have no direct access to the internet which dramatically decreases the risk of attack. Even with this precaution hackers are smart and well funded enough to obtain their data if they wanted.

In a recent study less than 10% of organizations have a response operation team. Ewall is part of multiple ISACs and shares information with other CISOs in his region. In order to be more effective in stopping attacks Ewall is creating a custom tool to monitor “blips” – potential attacks. Experts believe that monitoring blips can help spot attackers in your network.

Although monitoring networks isn’t a 100% guaranteed way of preventing attacks, they work to help slow down potential threats. By slowing down potential threats companies can better react to the situation. For this to be effective companies need a response operation team. Since only 10% of companies have this team, many organizations are at risk of being attacked. Changing the infrastructure of the network in order to prevent holes is a simple idea but leaves room for error. Companies have to think outside of the box in order to better prepare themselves for attacks.

http://www.darkreading.com/attacks-breaches/operation-stop-the-exfiltration/d/d-id/1171947

Cyber Criminals Budget

A new study has found that many cyber attacks are funded by criminals who tweak preexisting malware. According to Websense’s parlance, advanced attacks such as APTs and Stuxnet would require a huge investment. However, lower end attacks require less since most of the malware are simply reconfigured. Many attackers today prefer to use exploit kits rather than create their own malware. Since kits are inexpensive there is a huge market out there today. 

Websense reports that 67 million attacks via exploit kits were detected last year. One of the most popular kit was Blackhole until its creator was arrested. After the creator was arrested the cyber criminal community moved on to use the Magnitude kit. Magnitude and Redkit have become popular this year. Seeing how cyber criminals operate and their determination to complete their goals is quite compelling. These two new kits demonstrate how cyber criminals are well prepared in case of an emergency. 

Some elite attackers don’t even consider using kits. They see these kits as a way of getting caught due to the markers they leave after the attack. Just as businesses today, cyber criminals use cheap materials in order to create malware of higher value. Zeus for example targeted financial information and credentials. Kits using its software were now marketed in order to target government, retail, healthcare, and education. Java also poses a threat since most people don’t download their updates. This leaves users using old software with security holes in them. Its always sad to see people not update their software. In these cases I believe people take for granted their computers security. Another threat include websites which contain 85 percent of malicious links. 

Many cyber criminals are starting to target specific populations, communities, and individuals. These criminals are finding vulnerable computer systems for exploitation purposes. Malware creation and distribution has become such a lucrative business that many new programs are continuously being made. Although we have statistics on its creation effort to stop it seems to be failing. Just as the saying goes, you take one out and another one follows.

http://www.darkreading.com/vulnerabilities—threats/cyber-criminals-operate-on-a-budget-too/d/d-id/1141650

More on the NSA!

The NSA shot down a press report stating that they had planted malware on millions of computers worldwide and impersonated Facebook and other websites to lure potential targets. Intercept news site reported that classified documents leaked by Snowden showed that the NSA had built technology to infect millions of computers around the world with malware in order to gain data from foreign Internet and phone networks. This type of malware targeted a few hundred targets but evolved to reach targets on a larger scale. The malware known as TURBINE was built to infect millions of computers by automated controlled implants by groups. Apparently the NSA used a Facebook server to infect a user and grab files from their hard drive. They also said that the NSA used Internet traffic patterns in order to find a target. 

However, the NSA has denied all claims. In a statement they said, “Recent media reports that allege NSA has infected millions of computers around the world with malware, and that NSA is impersonating U.S. social media or other websites, are inaccurate. NSA uses its technical capabilities only to support lawful and appropriate foreign intelligence operations, all of which must be carried out in strict accordance with its authorities. Technical capability must be understood within the legal, policy, and operational context within which that capability must be employed.” I’m guessing they forgot about their unlawful invasion of privacy in Europe. 

They also claimed that they do not impersonate company websites and only targets users legally. Facebook CEO Mark Zuckerberg called the President to address media reports on government surveillance. Zuckerberg states that his company works hard to create a secure environment from users and has been frustrated by the reports of the US government using Facebook unlawfully in order to find potential targets. Although he has called the President to state his concerns about this he believes that reform is a long ways away. 

Its currently hard to believe whether the information we are being told by the media is true or false. After the recent revelation about the NSA spying on citizens of another country as well as the German government it isn’t hard to believe that what the media is saying is true. The use of social media in order to spread malware to obtain files is quite ingenious. This goes to show how smart people are becoming when they want to obtain private information. The fact that Mark Zuckerberg is saying that the U.S. government should be more transparent or the people will believe the worst just shows how people are starting to lose faith in their government. Only time can tell whether or not these allegations are true. 

http://www.darkreading.com/attacks-breaches/nsa-disputes-report-on-program-to-automate-infection-of-millions-of-machines/d/d-id/1141464?

Trustwave Sued by Banks

The security firm Trustwave and Target are being sued by Trustmark National Bank and Green Bank. These banks are suing for $5 million in damages to cover the cost of cancelling and reissuing MasterCards. They also accused Target of failing to protect personally identifying information which means they were not compliant with Payment Card Industry Data Security Standards. Since Target and Trustwave failed in their duties the banks must reissue credit and debit cards to prevent fraud and repay any illegal purchases. The bankers reported that Trustwave claimed that they provided round the clock monitoring services to Target to detect intrusions into Target’s systems. However, Trustwave had failed to provide security which meant they failed to meet industry standards. 

Many of these allegation are based on press reports with no solid evidence. USA Today reported that Target was not PCI DSS compliant because of the attack. However, Target was certified as being PCI compliant before the attack. The malware released by the attackers intercepted credit card data the moment the card was swiped but before it was encrypted and stored. This type of malware exploited the weakness in payment processing. In a recent interview an analyst said PCI standards would not have been able to catch this and that the banks should shoulder some of the blame as well. Since banks failed to pay for EMV chip security for US credit cards and failed to spend money for safer security measures should Target or Trustwave be held liable?

This malware attack shows the vulnerabilities in systems and how much trouble it can cause a company. If better preemptive measures were taken to secure customer information all of this could have been avoided. A breach in security causes more problems than information being stolen. Target and Trustwave are now under-fire with lawsuits from banks. A breach in security can also jeopardize customer -business relationships. In the end everyone becomes a victim of a cyber attack. Everyone must pay the consequences because of the failure of one.

http://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-sued-by-banks/d/d-id/1127936?