Issue No. 4 | April 2014
Cyber security monthly newsletter
Today Roskomnadzor (the Federal Supervision Agency for Information Technologies and Communications) has published a press release warning website owners not to use CloudFlare, a popular foreign CDN service. According to the federal agency, service representatives ignore deletion requests for websites hosted on the service and post content in breach of current legislation. Hence, many well-behaved sites will be blocked by Russian providers (for example, apparently, it’s been decided to block CloudFlare completely).
Legislative news and regulatory recommendations
Any action on the Internet is a data exchange. Every time you launch a video, send a message via a social network, or open your favourite site, your PC sends a request to the corresponding server and gets a response. As a rule, the data exchange is executed through HTTP. This protocol not only establishes data exchange rules but also serves as a vehicle for data transfer – the browser uses HTTP to download site content onto your PC or smartphone.
On 7 April, a vulnerability in OpenSSL, a full-strength general-purpose cryptography library, was detected. This vulnerability has become so famous that it has even acquired a name – Heartbleed. It is so important because OpenSSL is used by two thirds of Internet resources, including some of the most popular websites - Yandex, Google, Facebook and many more among them. The vulnerability enables attackers to read up to 64 kilobytes of the victim's random web-server memory in unencrypted form. With time and patience, requests can be repeated until the information obtained contains users’ logins and passwords.
With the cessation of Windows XP support for Microsoft Security Essentials, the anti-virus program for this OS – actually quite a user-friendly tool - has also been discontinued.
Microsoft has issued a security advisory (SA 2963983) notifying users that the new Zero Day Remote Code Execution vulnerability CVE-2014-1776 exists in all current MS Internet Explorer 6-11 versions and is being used in targeted attacks to deliver malware code (a drive-by download). Attackers exploit this vulnerability by using a specially formed webpage and a Flash Player object.
Symantec Corporation, a data protection company, has detected new ATM malware which enables attackers to take remote control of a cash machine by means of a connected mobile phone.
Yaroslavl police have detained two citizens of Moldova accused of planning to steal cash using some skimming equipment they had installed.
A criminal case of grand fraud has been filed with a Smolensk Oblast court with respect to a Roslavl bank officer who allegedly transferred over 2 million rubles from clients' accounts to her personal accounts.
Izvestia reports that the Bank of Russia has obligated Russian banks to enhance control over privacy security legislation compliance, says a letter signed by Aleksei Simanovsky, the bank’s First Deputy Chairman, and sent out to commercial lending institutions.
Data from credit cards used for ticket purchases from Russian Railways have been compromised through the Heartbleed vulnerability, despite the gap being eliminated from the system only a week later (15.04.2013). By exploiting the well-known vulnerability, unknown attackers may have stolen the website's data.
DDoS attacks on banks and the finance sector in 2013 have grown by 112 percent year-on-year, Olga Uskova, president of the National Innovation and Information Technology Development Association, reported during a round table discussion in the State Duma dedicated to legislative aspects of strategic information systems development for the banking and financial sectors.
Moscow: Carberp team found guilty. According to the K Department of the RF Ministry of Internal Affairs, the culprits created one of the world's largest botnets targeting remote banking systems. The criminals have been sentenced to five and eight years of imprisonment, respectively.
Internet and telecommunications
Kristoffer Von Hassel, a five-year-old boy from San Diego, has managed to randomly find a vulnerability in the Xbox Live authentication system.
Stage magician and inventor Nevil Maskelyne ruined a public demonstration of an allegedly secure wireless data transfer system (powered by Marconi Wireless Telegraph Company) by John Fleming by sending abusive messages via Morse Code, which flashed on the screen before the audience.
The Electronic Frontier Foundation has published new information on the Next Generation Identification (NGI) biometric database, developed under FBI orders and scheduled to be launched in the summer of 2014. The news was obtained through an FBI trial on keeping the project secret.
Google has updated its service usage policies by adding the right to scan personal data. Not only email messages but also all other content is now subject to Google supervision.
Industry and services
Foreign email and instant messaging services, as well as Russian entities, will be obliged to ensure data storage of user activity for at least six months on servers located in Russia, according to the “Anti-Terrorist Package” of laws adopted by the State Duma by the third reading on Tuesday. According to expert estimates, if foreign companies should fail to comply with the new law, access to their services in Russia may be denied.
Amazon, Facebook, Google, Intel, Microsoft, Cisco, Dell, IBM, Fujitsu, NetApp, VMware Qualcomm, and RackSpace have cofounded the Core Infrastructure Initiative, established under the aegis of Linux Foundation. The initiative is aimed at supporting software development, which is critical for global information infrastructure to function normally. The foundation was established as a response to the catastrophic Heartbleed bug in OpenSSL, which threatened the security of the entire Internet. OpenSSL was the first project to receive the foundation's support.
Microsoft, Oracle, Symantec, Hewlett-Packard, and a number of other US-based companies are joining sanctions imposed on Russia. Gazeta.ru reported on the decision of the IT titans with a link to sources in the technical departments of two banks included in the American blacklist.
Heartbleed news selection
In its latest security advisory issue, the OpenSSL Project has reported a critical vulnerability, CVE-2014-0160, in its popular cryptographic library.
Heartbleed is an especially disturbing bug that enables attackers to read up to 64 kb of user memory. Information security experts admit, “Without using any privileged information or credentials, we were able steal the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication from ourselves.”
The TLS server private key, TLS client private key (if the client is vulnerable), cookies, logins, passwords, and any other data exchanged between the server and its clients are all vulnerable. The communication channel need not be tapped, it is enough to send a special package untraceable in the server logs.
While the industry as a whole is recovering from the Heartbleed blow, certain companies have published some press releases and comments.
The Yandex main page will link you to recommendations on how to supervise and regularly change your passwords.
The new update is based on FreeBSD 8.3 with the latest m0n0wall solutions and active pf and ALTQ usage. Available for download are a variety of i386 and amd64 architectures from 80 to 180 Mb, including LiveCD and samples to send directly to you via Compact Flash (512 Mb, 1 Gb, 2Gb, 4Gb).
The CloudFlare research team has posted an article entitled Answering the Critical Question: Can You Get Private SSL Keys Using Heartbleed? on their blog, where they pose the question of whether it was possible to obtain private keys by means of the notorious Heartbleed vulnerability. One attempt to extract a private key from RAM failed, hence the expert concluded that being able to steal SSL certificates with Heartbleed was unlikely.
Many of you have already heard of the newly-found OpenSSL vulnerability. There’s no doubt the vulnerability is getting prime media coverage: Not only are articles being written about it, but entire websites have been dedicated, verification services generated, and cartoons inspired. And no wonder. The scale of infection is truly impressive - according to certain estimates, over 17 percent of all websites supporting SSL are vulnerable; considering the simplicity of exploitation, this event is akin to a pandemic.
The notorious Heartbleed bug detected in the OpenSSL library has shaken the software industry, as well as busted open some myths about open source software.
Client vulnerability is still looming. While top payment services react within 24 hours, it might take you some time to get a patch from a smartphone or smart TV manufacturer. An infected website can easily rip the client's memory – be it an under-patched browser, smartphone, tablet, overly smart TV set, video game console, etc. Any device that can download web pages (including your home Linux) and process confidential data is a target - and at times, a long-term target.
Passions over the recently detected OpenSSL vulnerability continue to rule the game. Yesterday, news.ycombinator.com announced a series of successful attacks on the OpenVPN server and a private key used by the server to decode traffic sent by a compromised client.
Google search results for an allegedly hacked webpage will display a “This site may be hacked” message. Perhaps you think your website will never be hacked, however, it happens all the time. Hackers attack many resources seeking to undermine their reputation or obtain private user data.
Attackers are constantly enhancing their techniques for injecting webpages with malicious code. While earlier it used to be static content and CMS php-scripts modification, nowadays more intricate methods are employed.
As early as December 2013, the first documents revealing certain peculiarities of the notorious NSA practices leaked. It turned out its agents are able to easily track web users using DoubleClick cookies.
Win32/Sality is a well-known family of file infectors using a P2P-based botnet since 2003. Sality can act both as a virus and a downloader for other malware used to send out spam, organize DDoS, generate advertising traffic, and hack VoIP accounts. Commands and files transferred via Sality are RSA-encoded. The malware's module architecture, along with the botnet's longevity, demonstrates how thorough the bad guys were when creating this code.
EyeLock, a company dealing in biometric security systems based on iris scanning, has presented a portable USB scanner called Myris. According to the EyeLock website, the probability of a false positive is 1 in 2,250,000,000,000. The high rate of accuracy is because the scanner analyses not one but both eyes, each of them with a unique iris pattern. A more reliable identification can only be performed through a DNA analysis; all other biometric identification techniques suffer a much higher percentage of fallacy.
Last autumn, a crowdfunding campaign for the TrueCrypt comprehensive security assessment amassed over $60,000. On 14 April, Phase 1 of the Audit was complete – iSECpartners submitted a report on the TrueCrypt code quality audit. Phase 2 will see formal cryptoanalysis.
On 25 September 2013, a new ISO/IEC 27001:2013 standard, entitled Information Security Management Systems — Requirements, was published to succeed a similar standard dated 2005. A brief overview.
Learn something new: cyber security technology updates
To be added to bookmarks
Syrian politics are having big ramifications on the web this week. First up, the Syrian Electronic Army has released what it alleges are hacked invoices from Microsoft that document months of transactions between Microsoft's Global Criminal Compliance team and the FBI's Digital Intercept Technology Unit (DITU) regarding requests for Microsoft user information.
Current models for cybersecurity are becoming less and less effective in the face of more sophisticated attacks. They tend to be compliance- or technology-driven and are highly manual–making them difficult to scale. All too often as well, security is the bottleneck for innovative business initiatives.
Data breaches at Target and other retailers have been making headlines, but it turns out that financial institutions are finding their operations increasingly impacted as well. A survey by ACI Worldwide of financial industry professionals found that a full 44% of customer accounts have been compromised.
For the first time, NTT has pooled the resources of its group companies and produced a threat report based on an analysis of 3 billion attacks. What it found is that while attackers move faster than defenders, and there are still many basic processes and procedures that companies are failing to implement.