Saturday 12 April 2014

Report says NSA exploited Heartbleed, kept flaw secret -- but agency denies it

The National Security Agency reportedly knew about the Heartbleed bug for at least two years, kept it secret, and exploited it to gather intelligence -- news that is fueling criticism that the agency's spying efforts undermine the safety of the Internet for everyone.
By using Heartbleed, the NSA "was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost," Bloomberg reports, citing two unnamed people familiar with the matter. "Millions of ordinary users were left vulnerable to attack from other nations' intelligence arms and criminal hackers."
Though the NSA initially declined Bloomberg's request to comment "on the agency's knowledge or use of" the Heartbleed bug, it issued a denial late Friday: The "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong."
Heartbleed is a security vulnerability in OpenSSL, software that's used by many Web sites to encrypt Web communications. The bug can reveal the contents of a server's memory, where the most sensitive of data is stored, including usernames, passwords, and credit card numbers. The revelation of the flaw this week sent major sites such as Google, Facebook, Yahoo, and Dropbox scrambling to patch their systems and had Internet users hustling to change their passwords.

Critics of the NSA say that its reported efforts to increase surveillance and other capabilities by undermining encryption, weakening network security standards, and influencing the building of backdoors into tech products threaten to destroy the security of the Internet. The agency is charged with both the defensive task of protecting US computer networks from attack and the offensive task of finding and exploiting vulnerabilities. Critics say these goals are at odds with each other: the surveillance wing might want to keep a vulnerability in place, secret, and exploitable, but this same hole that it's using to spy could be discovered and exploited by foes or criminals.
Last December, the NSA review panel handpicked by President Obama said that though it hadn't found evidence to support reports that the US government intentionally introduced backdoors into encryption software, it recommended that the government make it clear that the NSA will not undermine global encryption standards or demand changes to any products and services to make it easier for the agency to collect user data.
In his reform speech the following month, Obama declined to address that recommendation in detail, saying instead that the issue would be studied to determine "how we can continue to promote the free flow of information in ways that are consistent with both privacy and security."
He also said, "we cannot prevent terrorist attacks or cyberthreats without some capability to penetrate digital communications -- whether it's to unravel a terrorist plot; to intercept malware that targets a stock exchange; to make sure air traffic control systems are not compromised; or to ensure that hackers do not empty your bank accounts." It would, of course, be ironic if the agency's "capability to penetrate" communications was pegged to a vulnerability that hackers could also potentially unearth and use to drain bank accounts.
The Bloomberg report quoted a cybersecurity specialist, who discussed the NSA's process when it comes to handling vulnerabilities:

"The fact that the vulnerability existed in the transmission of ordinary data -- even if it's the kind of data the vast majority of users are concerned about -- may have been a factor in the decision by NSA officials to keep it a secret, said James Lewis, a cybersecurity senior fellow at the Center for Strategic and International Studies.
"They actually have a process when they find this stuff that goes all the way up to the director" of the agency, Lewis said. "They look at how likely it is that other guys have found it and might be using it, and they look at what's the risk to the country."
Lewis said the NSA has a range of options, including exploiting the vulnerability to gain intelligence for a short period of time and then discreetly contacting software makers or open source researchers to fix it.

The complete Bloomberg report is here.
Update, 2:50 p.m. PT: The Office of the Director of National Intelligence has posted a lengthier denial on its "IC [Intelligence Community] on the Record" site:
"NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.
"Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.
"When Federal agencies discover a new vulnerability in commercial and open source software - a so-called "Zero day" vulnerability because the developers of the vulnerable software have had zero days to fix it - it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose.
"In response to the recommendations of the President's Review Group on Intelligence and Communications Technologies, the White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process. Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.

Zeus Criminals charged in Omaha, Nebraska

Legal documents analayzed below are available at the bottom of this DOJ article: Nine Charged in Conspiracy to Steal Millions of Dollars using Zeus Malware
We've talked about Zeus in this blog for many years, including some good arrests, such as Major Zeus Bust in the UK: Nineteen Zbot Thieves Arrested. But we now have names for the ring leaders of the biggest Zeus case of all time, Operation Trident BreACH. We knew the aliases of the Ring Leaders publicly thanks to Microsoft's work back in 2012 (see Microsoft DCU, FS-ISAC and NACHA vs. Zeus) but who were these mystery men: tank and petr0vich?
Now we know ... more anyway ... Two Ukrainian members of the Jabber Zeus gang stood in federal court in Omaha, Nebraska last week to plead "Not Guilty" after being extradicted from the UK. Yuriy Konovalenko and Yevhen Kulibaba are among the nine people listed in the indictments that have been sealed since August of 2012. The list of defendents is:

  • Yvacheslav Igorevich Penchukov, AKA tank, AKA father
  • Ivan Viktorvich Klepikov, AKA petr0vich, AKA nowhere
  • Alexey Dmitrievich Bron, AKA thehead
  • Alexey Tikonov, AKA kusanagi
  • Yevhen Kulibaba, AKA jonni
  • Yuriy Konovalenko, AKA jtk0
  • John Doe #1, AKA lucky12345
  • John Doe #2, AKA aqua
  • John Doe #3, AKA mricq
DOJ is still seeking four of the named criminals, and still has not publicly acknowledged the names of the three John Does. If you have information on these, please reach out to the FBI!
Tank == Vyacheslav Igorevich Penchukov, 32, of Ukraine, who allegedly coordinated the exchange of stolen banking credentials and money mules and received alerts once a bank account had been compromised.
Petr0vich == Ivan Viktorvich Klepikov, 30, of Ukraine, the alleged systems administrator who handled the technical aspects of the criminal scheme and also received alerts once a bank account had been compromised.
TheHead == Alexey Dmitrievich Bron, 26, of Ukraine, the alleged financial manager of the criminal operations who managed the transfer of money through an online money system known as Webmoney.
Kusunagi== Alexey Tikonov, of Russia, an alleged coder or developer who assisted the criminal enterprise by developing new codes to compromise banking systems.
Although jonni is only now coming to trial in the United States, the Metropolitan Police of London arrested Kulibaba and his wife Karina Kostromina back in October of 2011, as we learned from KrebsOnSecurity in his article ZeuS Trojan Gang Faces Justice. Yuriy Konovalenko, AKA Pavel Klikov, was also in custody in the UK and was "due to be sentenced" according to Krebs' article.
Many of the crimes covered in this indictment are well known to us already, largely due to the work of journalist Brian Krebs. While Krebs was still at the Washington Post writing his Security Fix column, he made Zeus a household name.
Selected Victims:
  • Bank of America
  • Bullitt County Kentucky - Security Fix, Brian Krebs, July 2009. -- Bullitt County had $415,000 stolen from their accounts after being infected by Zeus.
  • Doll Distributing of Des Moines, Iowa
  • First Federal Savings Bank of Elizabeth Town, Kentucky
  • Franciscan Sisters of Chicago, (Homewood, Illinois)
  • Husker AG, LLC of Plainview, Nebraska
  • Key Bank of Sylvania, Ohio
  • ODAT LLC, d/b/a Air Treatment Company
  • Parago, Inc of Lewisville, TX
  • Salisbury Bank & Trust of Salisbury, MA
  • Town of Egremont, Mass
  • Union Bank and Trust of Lincoln, Nebraska
  • Union Bankshares of Ruther Glen, VA
  • United Dairy, Inc of Martins Ferry, OH
The version of Zeus at the heart of this investigation communicated stolen credentials to a server located on the IP address 66.199.248.195 at Ezzi.net in Brooklyn, NY. An FBI Agent interviewed Mohammed Salim in September 2009, who confirmed that the server in question, called the Incomeet server, was custom built for a Russian company "IP-Server Ltd" in Moscow, whose POC was "Alexey S." Extensive chat logs were recovered from the server with four separate search warrants - September 28, 2009, December 9, 2009, March 17, 2010, and May 21, 2010. Those web servers showed the criminals discussing their conspiracy, including many instances of the criminals trading login credentials for bank accounts. Those chats also showed that the criminals closely follow Brian Krebs! Tank and Aqua are shown discussing his Bullitt County article linked above and saying "They laid out the entire scheme! I'm really pissed! They exposed the entire deal!"
Doll Distributing had $59,222 stolen from them in two occasions. One of those wire transfers went to "Pandora Service, LLC" and to "Kodash Consulting." FBI Agents interviewed Heidi Nelson and Renee Michelli, the proprietors of those organizations who had believed they were acting as "Financial agents" for a Russian software company. In other words, they were money mules.
All of the victims named above were discussed in the chat logs by the criminals charged in this case.
I especially enjoyed learning how TANK was identified by name. In the chat, on July 22, 2009, he announced that his daughter, Miloslava, had been born and gave her birth weight. A records search of Ukrainian birth records only showed one girl named Miloslava with that birth weight born on that day. Her father was Vyacheslav Igorevich Penchokov. This was enough to seize the computers from Tank's home, which confirmed it was the same person!
Petr0vich was discovered because of mentions of the email address "theklutch@gmail.com" in the chat logs. Gmail was subpoenaed to get records for this email account, which showed "92.242.127.198" had been used to log in to that email address at least 790 times. The secondary email for that account, "petr0vich@ua.fm", was given when the account was created November 24, 2004. Several other addresses were used to login to both the petr0vich jabber account on the Incomeet server and the Gmail address, including 209.160.22.135. Similar techniques were then used to find the computers located at those IP addresses. Ivan Viktorovich Klepikov was found to be living in Donetsk, Ukraine.
TheHead stated his real name in the chat, and gave his gmail account as "alexey.bron@gmail.com". He was telling the truth.
Kusunagi gave a phone number in the chat, and found that phone number on a public webpage where Alexey Tikonov's real name and contact information were given. He lived in Tomsk, Russia. He also used his Kusanagi identity to post videos where WHOIS information related to those videos location confirmed his location.
Jonni and Jtk0 were identified by Detective Sergeant Simon Williams of the Metropolitan Police of London.

Heartbleed: Free Tool To Check if That Site is Safe

I’m sure you’ve heard the news about Heartbleed by now (unless you’re in vacation wonderland and have taken a tech break). This is a serious vulnerability in the core of the Internet and is something we all should be concerned about.

Heartbleed is a kink in encryption software, discovered by security researchers. It is a vulnerability in OpenSSL and could affect nearly two-thirds of websites online. If exploited, it can leak out your passwords and login names, thus putting your personal information at risk.
That’s why McAfee, part of Intel Security, is responding to the dangerous Heartbleed vulnerability by releasing a free tool to help consumers determine if a website they visit is safe or not. You can access the tool, here: http://tif.mcafee.com/heartbleedtest
McAfee’s Heartbleed Checker tool works by entering any website name to find out if the website is currently vulnerable to Heartbleed.
Steps to protect yourself:
  • Go to McAfee’s Heartbleed Checker tool http://tif.mcafee.com/heartbleedtest and enter any website URL to check if it’s vulnerable.
  • If the site is deemed safe your next step would be to change your password for that site. Remember, changing your password before a site is patched will not protect you and your information.
  • If the site is vulnerable, then your best bet is to monitor the activity on that account frequently looking for unauthorized activity.
Once a site has been patched so it’s no longer vulnerable to the Heartbleed bug, you should change your password. Here’s some tips to remember:
  • Use strong passwords that include a combination of letters, numbers and symbols and are longer than 8 characters in length – heck the longer the better. Below is a good animation on how to create a strong password.
  • Use a password manager, like McAfee SafeKey which is included with McAfee LiveSafe™ service that will help you create strong password and remember them for you.
  • Use two-factor authentication for increased security. You get a one-time code every time someone tries to log into the account, such as those for banks, social networks and email.
Heartbleed aside, passwords are more vulnerable than ever, and just in general, should be changed every 90 days for important accounts. And remember, if your information was exposed, this is a good time to watch out for phishing scams.
A phishing scam is a ploy that tricks you into entering sensitive data, like usernames, passwords and bank account information, by emulating a familiar website. And if your information is compromised, even if it’s just your email address, scammers could use this to try and get your other sensitive information.
Remember, in this day and age, we all need to be vigilant about protecting ourselves online.
Stay safe!

IRS misses XP deadline, pays Microsoft millions for patches

The U.S. Internal Revenue Service (IRS) acknowledged this week that it missed the April 8 cut-off for Windows XP support, and will be paying Microsoft millions for an extra year of security patches.
Microsoft terminated Windows XP support on Tuesday when it shipped the final public patches for the nearly-13-year-old operating system. Without patches for vulnerabilities discovered in the future, XP systems will be at risk from cyber criminals who hijack the machines and plant malware on them.
During an IRS budget hearing Monday before the House Financial Services and General Government subcommittee, the chairman, Rep. Ander Crenshaw (R-Fla.) wondered why the agency had not wrapped up its Windows XP-to-Windows 7 move.
"Now we find out that you've been struggling to come up with $30 million to finish migrating to Windows 7, even though Microsoft announced in 2008 that it would stop supporting Windows XP past 2014," Crenshaw said at the hearing. "I know you probably wish you'd already done that."
According to the IRS, it has approximately 110,000 Windows-powered desktops and notebooks. Of those, 52,000, or about 47%, have been upgraded to Windows 7. The remainder continue to run the aged, now retired, XP.
John Koskinen, the commissioner of the IRS, defended the unfinished migration, saying that his agency had $300 million worth of IT improvements on hold because of budget issues. One of those was the XP-to-7 migration.
"You're exactly right," Koskinen said of Crenshaw's point that everyone had fair warning of XP's retirement. "It's been some time where people knew Windows XP was going to disappear."
But he stressed that the migration had to continue. "Windows XP will no longer be serviced, so we are very concerned if we don't complete that work we're going to have an unstable environment in terms of security," Koskinen said.
According to Crenshaw, the IRS had previously said it would take $30 million out of its enforcement budget to finish the migration.
Part of that $30 million will be payment to Microsoft for what the Redmond, Wash. developer calls "Custom Support," the label for a program that provides patches for critical vulnerabilities in a retired operating system.
Analysts noted earlier this year that Microsoft had dramatically raised prices for Custom Support, which previously had been capped at $200,000 per customer for the first year. Instead, Microsoft negotiates each contract separately, asking for an average of $200 per PC for the first year of Custom Support.
Using that average -- and the number of PCs the IRS admitted were still running XP -- the IRS would pay Microsoft $11.6 million for one year of Custom Support.
The remaining $18.4 million would presumably be used to purchase new PCs to replace the oldest ones running XP. If all 58,000 remaining PCs were swapped for newer devices, the IRS would be spending an average of $317 per system.
The IRS isn't the only government agency that has acknowledged paying for post-retirement XP support. The U.K. government, for example, has paid Microsoft more than 5.5 million (approximately $9.2 million) for Windows XP, Office 2003 and Exchange 2003 patches for the next 12 months.