Issue No. 4, April 2014 Monthly newsletter

Insights

Issue No. 4 | April 2014

Cyber security monthly newsletter

April 10

Roskomnadzor recommends hosting websites in Russia

Today Roskomnadzor (the Federal Supervision Agency for Information Technologies and Communications) has published a press release warning website owners not to use CloudFlare, a popular foreign CDN service.  According to the federal agency, service representatives ignore deletion requests for websites hosted on the service and post content in breach of current legislation.  Hence, many well-behaved sites will be blocked by Russian providers (for example, apparently, it’s been decided to block CloudFlare completely).

Legislative news and regulatory recommendations

What is HTTPS and how does it protect you on the Web?

Any action on the Internet is a data exchange. Every time you launch a video, send a message via a social network, or open your favourite site, your PC sends a request to the corresponding server and gets a response.  As a rule, the data exchange is executed through HTTP.  This protocol not only establishes data exchange rules but also serves as a vehicle for data transfer – the browser uses HTTP to download site content onto your PC or smartphone.

April 11

Time to change your passwords

On 7 April, a vulnerability in OpenSSL, a full-strength general-purpose cryptography library, was detected.  This vulnerability has become so famous that it has even acquired a name – Heartbleed.  It is so important because OpenSSL is used by two thirds of Internet resources, including some of the most popular websites - Yandex, Google, Facebook and many more among them.  The vulnerability enables attackers to read up to 64 kilobytes of the victim's random web-server memory in unencrypted form.  With time and patience, requests can be repeated until the information obtained contains users’ logins and passwords.

April 12

Testing free anti-viruses or seeking alternative to Microsoft Security Essentials for Windows XP

With the cessation of Windows XP support for Microsoft Security Essentials, the anti-virus program for this OS – actually quite a user-friendly tool - has also been discontinued.

April 27

New Internet Explorer vulnerability – an “in-the-wild” exploit

Microsoft has issued a security advisory (SA 2963983) notifying users that the new Zero Day Remote Code Execution vulnerability CVE-2014-1776 exists in all current MS Internet Explorer 6-11 versions and is being used in targeted attacks to deliver malware code (a drive-by download).  Attackers exploit this vulnerability by using a specially formed webpage and a Flash Player object. 

Staying secure

Finance sector

April 2

Cybercriminals learn how to hack into ATMs with SMS

Symantec Corporation, a data protection company, has detected new ATM malware which enables attackers to take remote control of a cash machine by means of a connected mobile phone.

April 3

Moldavian skimmers detained in Yaroslavl

Yaroslavl police have detained two citizens of Moldova accused of planning to steal cash using some skimming equipment they had installed.

April 7

Bank officer in Smolensk Oblast stole over 2 million rubles from client accounts

A criminal case of grand fraud has been filed with a Smolensk Oblast court with respect to a Roslavl bank officer who allegedly transferred over 2 million rubles from clients' accounts to her personal accounts.

April 8

CBR orders banks to reinforce client data protection

Izvestia reports that the Bank of Russia has obligated Russian banks to enhance control over privacy security legislation compliance, says a letter signed by Aleksei Simanovsky, the bank’s First Deputy Chairman, and sent out to commercial lending institutions.

April 16

Around 70,000 bank details compromised through RZD payment gate

Data from credit cards used for ticket purchases from Russian Railways have been compromised through the Heartbleed vulnerability, despite the gap being eliminated from the system only a week later (15.04.2013). By exploiting the well-known vulnerability, unknown attackers may have stolen the website's data.

April 16

DDoS attacks on banks and finance sector in 2013 grow by 112%

DDoS attacks on banks and the finance sector in 2013 have grown by 112 percent year-on-year, Olga Uskova, president of the National Innovation and Information Technology Development Association, reported during a round table discussion in the State Duma dedicated to legislative aspects of strategic information systems development for the banking and financial sectors.

April 21

Hackers sentenced to five, eight years in jail for stealing

Moscow: Carberp team found guilty.  According to the K Department of the RF Ministry of Internal Affairs, the culprits created one of the world's largest botnets targeting remote banking systems.  The criminals have been sentenced to five and eight years of imprisonment, respectively.

 

Internet and telecommunications

April 5

5-year-old kid hacked Xbox Live

Kristoffer Von Hassel, a five-year-old boy from San Diego, has managed to randomly find a vulnerability in the Xbox Live authentication system.

April 11

History of information systems hacks (1903-1971)

Stage magician and inventor Nevil Maskelyne ruined a public demonstration of an allegedly secure wireless data transfer system (powered by Marconi Wireless Telegraph Company) by John Fleming by sending abusive messages via Morse Code, which flashed on the screen before the audience.

April 15

FBI plans to increase facial recognition data base to 52 mln images

The Electronic Frontier Foundation has published new information on the Next Generation Identification (NGI) biometric database, developed under FBI orders and scheduled to be launched in the summer of 2014. The news was obtained through an FBI trial on keeping the project secret.

April 15

Google authorized itself to peruse users' letters

Google has updated its service usage policies by adding the right to scan personal data.  Not only email messages but also all other content is now subject to Google supervision.

 

Industry and services

April 22

Google and Skype may be banned from Russia

Foreign email and instant messaging services, as well as Russian entities, will be obliged to ensure data storage of user activity for at least six months on servers located in Russia, according to the “Anti-Terrorist Package” of laws adopted by the State Duma by the third reading on Tuesday.  According to expert estimates, if foreign companies should fail to comply with the new law, access to their services in Russia may be denied.

April 24

Linux Foundation and largest IT companies set up foundation to support critical open-source software

Amazon, Facebook, Google, Intel, Microsoft, Cisco, Dell, IBM, Fujitsu, NetApp, VMware Qualcomm, and RackSpace have cofounded the Core Infrastructure Initiative, established under the aegis of Linux Foundation. The initiative is aimed at supporting software development, which is critical for global information infrastructure to function normally.  The foundation was established as a response to the catastrophic Heartbleed bug in OpenSSL, which threatened the security of the entire Internet.  OpenSSL was the first project to receive the foundation's support.

April 30

Microsoft, Oracle, others join anti-Russia sanctions

Microsoft, Oracle, Symantec, Hewlett-Packard, and a number of other US-based companies are joining sanctions imposed on Russia.  Gazeta.ru reported on the decision of the IT titans with a link to sources in the technical departments of two banks included in the American blacklist.

 

Heartbleed news selection

April 8

Critical vulnerability in OpenSSL 1.0.1 and 1.0.2-beta

In its latest security advisory issue, the OpenSSL Project has reported a critical vulnerability, CVE-2014-0160, in its popular cryptographic library.

OpenSSL Heartbleed bug diagnosed

Heartbleed  is an especially disturbing bug that enables attackers to read up to 64 kb of user memory. Information security experts admit, “Without using any privileged information or credentials, we were able steal the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication from ourselves.”

April 9

OpenSSL Heartbleed vulnerability reference manual

The TLS server private key, TLS client private key (if the client is vulnerable), cookies, logins, passwords, and any other data exchanged between the server and its clients are all vulnerable.  The communication channel need not be tapped, it is enough to send a special package untraceable in the server logs.

April 10

Heartbleed: what vendors say

While the industry as a whole is recovering from the Heartbleed blow, certain companies have published some press releases and comments.

April 11

Time to change your passwords

The Yandex main page will link you to recommendations on how to supervise and regularly change your passwords.

New pfSense 2.1.2 open-source network firewall released in less than a week

The new update is based on FreeBSD 8.3 with the latest m0n0wall solutions and active pf and ALTQ usage. Available for download are a variety of i386 and amd64 architectures from 80 to 180 Mb, including LiveCD and samples to send directly to you via Compact Flash (512 Mb, 1 Gb, 2Gb, 4Gb).

April 12

SSL key successfully stolen from CloudFlare

The CloudFlare research team has posted an article entitled Answering the Critical Question: Can You Get Private SSL Keys Using Heartbleed? on their blog, where they pose the question of whether it was possible to obtain private keys by means of the notorious Heartbleed vulnerability. One attempt to extract a private key from RAM failed, hence the expert concluded that being able to steal SSL certificates with Heartbleed was unlikely.

How is Heartbleed dangerous for ordinary users?

Many of you have already heard of the newly-found OpenSSL vulnerability. There’s no doubt the vulnerability is getting prime media coverage:  Not only are articles being written about it, but entire websites have been dedicated, verification services generated, and cartoons inspired.  And no wonder. The scale of infection is truly impressive - according to certain estimates, over 17 percent of all websites supporting SSL are vulnerable; considering the simplicity of exploitation, this event is akin to a pandemic.

April 13

Heartbleed and myths about open source

The notorious Heartbleed bug detected in the OpenSSL library has shaken the software industry, as well as busted open some myths about open source software.

April 14

How is Heartbleed even more dangerous for ordinary users?

Client vulnerability is still looming.  While top payment services react within 24 hours, it might take you some time to get a patch from a smartphone or smart TV manufacturer.  An infected website can easily rip the client's memory – be it an under-patched browser, smartphone, tablet, overly smart TV set, video game console, etc. Any device that can download web pages (including your home Linux) and process confidential data is a target - and at times, a long-term target.

April 17

Heartbleed successfully compromised OpenVPN

Passions over the recently detected OpenSSL vulnerability continue to rule the game.  Yesterday, news.ycombinator.com announced a series of successful attacks on the OpenVPN server and a private key used by the server to decode traffic sent by a compromised client.

Articles

April 1

How do you detect hacker activities, eliminate them and protect your website from attacks?

Google search results for an allegedly hacked webpage will display a “This site may be hacked” message.  Perhaps you think your website will never be hacked, however, it happens all the time. Hackers attack many resources seeking to undermine their reputation or obtain private user data.

April 3

Yandex information security investigation Rdomn – phantom menace

Attackers are constantly enhancing their techniques for injecting webpages with malicious code.  While earlier it used to be static content and CMS php-scripts modification, nowadays more intricate methods are employed.

April 6

DoubleClick-type systems allow identification of up to 90% of users

As early as December 2013, the first documents revealing certain peculiarities of the notorious NSA practices leaked.  It turned out its agents are able to easily track web users using DoubleClick cookies.

April 8

Sality modifies routers' DNS service

Win32/Sality is a well-known family of file infectors using a P2P-based botnet since 2003. Sality can act both as a virus and a downloader for other malware used to send out spam, organize DDoS, generate advertising traffic, and hack VoIP accounts.  Commands and files transferred via Sality are RSA-encoded.  The malware's module architecture, along with the botnet's longevity, demonstrates how thorough the bad guys were when creating this code.

April 14

EyeLock presents USB eye scanner with built-in password manager

EyeLock, a company dealing in biometric security systems based on iris scanning, has presented a portable USB scanner called Myris.  According to the EyeLock website, the probability of a false positive is 1 in 2,250,000,000,000. The high rate of accuracy is because the scanner analyses not one but both eyes, each of them with a unique iris pattern.  A more reliable identification can only be performed through a DNA analysis; all other biometric identification techniques suffer a much higher percentage of fallacy.

April 15

Phase 1 of TrueCrypt Security Audit – no critical bugs detected

Last autumn, a crowdfunding campaign for the TrueCrypt comprehensive security assessment amassed over $60,000.  On 14 April, Phase 1 of the Audit was complete – iSECpartners submitted a report on the TrueCrypt code quality audit.  Phase 2 will see formal cryptoanalysis.

April 29

Transition to ISO/IEC 27001:2013. Translation Tricks and More

On 25 September 2013, a new ISO/IEC 27001:2013 standard, entitled Information Security Management Systems — Requirements, was published to succeed a similar standard dated 2005.  A brief overview. 

Learn something new: cyber security technology updates

21 March

Syrian Electronic Army Hacks Microsoft, and the Country Disappears from the Web

Syrian politics are having big ramifications on the web this week. First up, the Syrian Electronic Army has released what it alleges are hacked invoices from Microsoft that document months of transactions between Microsoft's Global Criminal Compliance team and the FBI's Digital Intercept Technology Unit (DITU) regarding requests for Microsoft user information.

25 March

Why Cybersecurity Doesn’t Stop Attacks

Current models for cybersecurity are becoming less and less effective in the face of more sophisticated attacks. They tend to be compliance- or technology-driven and are highly manual–making them difficult to scale. All too often as well, security is the bottleneck for innovative business initiatives.

25 March

44% of Financial Accounts Have Been Affected By Data Compromise

Data breaches at Target and other retailers have been making headlines, but it turns out that financial institutions are finding their operations increasingly impacted as well. A survey by ACI Worldwide of financial industry professionals found that a full 44% of customer accounts have been compromised.

27 March

Analysis of 3 Billion Attacks Demonstrates Security Gap Between Attack and Defense

For the first time, NTT has pooled the resources of its group companies and produced a threat report based on an analysis of 3 billion attacks. What it found is that while attackers move faster than defenders, and there are still many basic processes and procedures that companies are failing to implement.

Foreigner corner

Did you find this useful?