Tuesday 15 April 2014

Hackers From China Waste Little Time in Exploiting Heartbleed

Hackers Plunder Encryption
Just one day after the Heartbleed bug was announced to the world, researchers spotted an attack exploiting it. Photographer: Jean Chung/Bloomberg
(Updates with latest data from University of Michigan in fourth graph)
For those who don't feel the urgency to install the latest security fixes for their computers, take note: Just a day after Heartbleed was revealed, attacks from a computer in China were launched.
The software bug, which affects a widely used form of encryption called OpenSSL, was announced to the world April 7 at 1:27 p.m. New York time, according to the Sydney Morning Herald. That sent companies scrambling to fix their computer systems -- and for good reason.
At 8:23 p.m. the following day, a computer in China that was previously used for hacking and other malicious activities tried to attack a server at the University of Michigan, said J. Alex Halderman, an assistant professor of electrical engineering and computer science. The university's computer was a "honeypot," which was intentionally left vulnerable and designed to attract attacks so researchers could study them.
The hackers' fast turnaround highlights how quickly the digital underworld is in taking advantage of newly disclosed software vulnerabilities. So far, 41 attempts to exploit the Heartbleed hole have been made on three honeypots operated by Halderman and his research team. About half have come from China. The attacks could include some attempts by other researchers trying to assess the impact of the bug.
Yahoo saw some of its user information spilled onto the Internet after waiting too long to fix the Heartbleed bug in its servers. The company said that it had fixed the problems on its main properties within 48 hours. It has now fixed the problem across all of its sites.

FBI to have 52 million photos in its NGI face recognition database by next year

The EFF
Jennifer Lynch is a senior staff attorney with the Electronic Frontier Foundation and works on open government, transparency and privacy issues, including drones, automatic license plate readers and facial recognition.
New documents released by the FBI show that the Bureau is well on its way toward its goal of a fully operational face recognition database by this summer.
The EFF received these records in response to our Freedom of Information Act lawsuit for information on Next Generation Identification (NGI)—the FBI’s massive biometric database that may hold records on as much as one-third of the US population. The facial recognition component of this database poses real threats to privacy for all Americans.

What is NGI?

NGI builds on the FBI’s legacy fingerprint database—which already contains well over 100 million individual records—and has been designed to include multiple forms of biometric data, including palm prints and iris scans in addition to fingerprints and face recognition data. NGI combines all these forms of data in each individual’s file, linking them to personal and biographic data like name, home address, ID number, immigration status, age, race, etc. This immense database is shared with other federal agencies and with the approximately 18,000 tribal, state, and local law enforcement agencies across the United States.
The records we received show that the face recognition component of NGI may include as many as 52 million face images by 2015. By 2012, NGI already contained 13.6 million images representing between 7 and 8 million individuals, and by the middle of 2013, the size of the database increased to 16 million images. The new records reveal that the database will be capable of processing 55,000 direct photo enrollments daily and of conducting tens of thousands of searches every day.

NGI will include non-criminal as well as criminal photos

One of our biggest concerns about NGI has been the fact that it will include non-criminal as well as criminal face images. We now know that FBI projects that by 2015, the database will include 4.3 million images taken for non-criminal purposes.
Currently, if you apply for any type of job that requires fingerprinting or a background check, your prints are sent to and stored by the FBI in its civil print database. However, the FBI has never before collected a photograph along with those prints. This is changing with NGI. Now an employer could require you to provide a “mug shot” photo along with your fingerprints. If that’s the case, then the FBI will store both your face print and your fingerprints along with your biographic data.
In the past, the FBI has never linked the criminal and non-criminal fingerprint databases. This has meant that any search of the criminal print database (such as to identify a suspect or a latent print at a crime scene) would not touch the non-criminal database. This will also change with NGI. Now, every record—whether criminal or non—will have a “Universal Control Number” (UCN), and every search will be run against all records in the database. This means that even if you have never been arrested for a crime, if your employer requires you to submit a photo as part of your background check, your face image could be searched—and you could be implicated as a criminal suspect—just by virtue of having that image in the non-criminal file.

Many states are already participating in NGI

The records detail the many states and law enforcement agencies the FBI has already been working with to build out its database of images (see map below). By 2012, nearly half of US states had at least expressed an interest in participating in the NGI pilot program, and several of those states had already shared their entire criminal mugshot database with the FBI. The FBI hopes to bring all states online with NGI by this year.
The FBI worked particularly closely with Oregon through a special project called “Face Report Card.” The goal of the project was to determine and provide feedback on the quality of the images that states already have in their databases. Through Face Report Card, examiners reviewed 14,408 of Oregon’s face images and found significant problems with image resolution, lighting, background and interference. Examiners also found that the median resolution of images was “well-below” the recommended resolution of .75 megapixels (in comparison, newer iPhone cameras are capable of 8 megapixel resolution).

FBI disclaims responsibility for accuracy

At such a low resolution, it is hard to imagine that identification will be accurate.1 However, the FBI has disclaimed responsibility for accuracy, stating that “[t]he candidate list is an investigative lead, not an identification.”
Because the system is designed to provide a ranked list of candidates, the FBI states NGI never actually makes a “positive identification,” and “therefore, there is no false positive rate.” In fact, the FBI only ensures that “the candidate will be returned in the top 50 candidates” 85 percent of the time “when the true candidate exists in the gallery.”
It is unclear what happens when the “true candidate” does not exist in the gallery—does NGI still return possible matches? Could those people then be subject to criminal investigation for no other reason than that a computer thought their face was mathematically similar to a suspect’s? This doesn’t seem to matter much to the FBI—the Bureau notes that because “this is an investigative search and caveats will be prevalent on the return detailing that the [non-FBI] agency is responsible for determining the identity of the subject, there should be NO legal issues.”

Nearly 1 million images will come from unexplained sources

One of the most curious things to come out of these records is the fact that NGI may include up to one million face images in two categories that are not explained anywhere in the documents. According to the FBI, by 2015, NGI may include:
  • 46 million criminal images
  • 4.3 million civil images
  • 215,000 images from the Repository for Individuals of Special Concern (RISC)
  • 750,000 images from a "Special Population Cognizant" (SPC) category
  • 215,000 images from "New Repositories"
However, the FBI does not define either the “Special Population Cognizant” database or the "new repositories" category. This is a problem because we do not know what rules govern these categories, where the data comes from, how the images are gathered, who has access to them, and whose privacy is impacted.
A 2007 FBI document available on the Web describes SPC as “a service provided to Other Federal Organizations (OFOs), or other agencies with special needs by agreement with the FBI” and notes that “[t]hese SPC Files can be specific to a particular case or subject set (e.g., gang or terrorist related), or can be generic agency files consisting of employee records.” If these SPC files and the images in the "new repositories" category are assigned a Universal Control Number along with the rest of the NGI records, then these likely non-criminal records would also be subject to invasive criminal searches.

Government contractor responsible for NGI has built some of the largest face recognition databases in the world

The company responsible for building NGI’s facial recognition component—MorphoTrust (formerly L-1 Identity Solutions)—is also the company that has built the face recognition systems used by approximately 35 state DMVs and many commercial businesses.2 MorphoTrust built and maintains the face recognition systems for the Department of State, which has the “largest facial recognition system deployed in the world” with more than 244 million records,3 and for the Department of Defense, which shares its records with the FBI.
The FBI failed to release records discussing whether MorphoTrust uses a standard (likely proprietary) algorithm for its face templates. If it does, it is quite possible that the face templates at each of these disparate agencies could be shared across agencies—raising again the issue that the photograph you thought you were taking just to get a passport or driver’s license is then searched every time the government is investigating a crime. The FBI seems to be leaning in this direction: an FBI employee e-mail notes that the “best requirements for sending an image in the FR system” include “obtain[ing] DMV version of photo whenever possible.”

Why should we care about NGI?

There are several reasons to be concerned about this massive expansion of governmental face recognition data collection. First, as noted above, NGI will allow law enforcement at all levels to search non-criminal and criminal face records at the same time. This means you could become a suspect in a criminal case merely because you applied for a job that required you to submit a photo with your background check.
Second, the FBI and Congress have thus far failed to enact meaningful restrictions on what types of data can be submitted to the system, who can access the data, and how the data can be used. For example, although the FBI has said in these documents that it will not allow non-mugshot photos such as images from social networking sites to be saved to the system, there are no legal or even written FBI policy restrictions in place to prevent this from occurring. As we have stated before, the Privacy Impact Assessment for NGI’s face recognition component hasn’t been updated since 2008, well before the current database was even in development. It cannot therefore address all the privacy issues impacted by NGI.
Finally, even though the FBI claims that its ranked candidate list prevents the problem of false positives (someone being falsely identified), this is not the case. A system that only purports to provide the true candidate in the top 50 candidates 85 percent of the time will return a lot of images of the wrong people. We know from researchers that the risk of false positives increases as the size of the dataset increases—and at 52 million images, the FBI’s face recognition is a very large dataset. This means that many people will be presented as suspects for crimes they didn’t commit. This is not how our system of justice was designed, and it should not be a system that Americans tacitly consent to move toward.
For more on our concerns about the increased role of face recognition in criminal and civil contexts, read Jennifer Lynch’s 2012 Senate Testimony. We will continue to monitor the FBI’s expansion of NGI.
Here are the documents:
1 In fact, another document notes that “since the trend for the quality of data received by the customer is lower and lower quality, specific research and development plans for low quality submission accuracy improvement is highly desirable.”
2 MorphoTrust’s parent company, Safran Morpho, describes itself as “[t]he world leader in biometric systems” and is largely responsible for implementing India’s Aadhaar project, which will ultimately collect biometric data from nearly 1.2 billion people.
3 One could argue that Facebook’s is larger. Facebook states that its users have uploaded more than 250 billion photos. However, Facebook never performs face recognition searches on that entire 250 billion photo database.

Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach

Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity.
On Mar. 17, 2014, this blog published evidence showing that the Web storefront for French hardware giant LaCie (now owned by Seagate) had been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion software. In response, Seagate said it had engaged third-party security firms and that its investigation was ongoing, but that it had found no indication that any customer data was compromised.
The Lacie.com Web site as listed in the control panel of a botnet of hacked ecommerce sites.
The Lacie.com Web site as listed in the control panel of a botnet of hacked ecommerce sites.
In a statement sent to this reporter on Monday, however, Seagate allowed that its investigation had indeed uncovered a serious breach. Seagate spokesman Clive J. Over said the breach may have exposed credit card transactions and customer information for nearly a year beginning March 27, 2013. From his email:
“To follow up on my last e-mail to you, I can confirm that we did find indications that an unauthorized person used the malware you referenced to gain access to information from customer transactions made through LaCie’s website.”
“The information that may have been accessed by the unauthorized person includes name, address, email address, payment card number and card expiration date for transactions made between March 27, 2013 and March 10, 2014. We engaged a leading forensic investigation firm, who conducted a thorough investigation into this matter. As a precaution, we have temporarily disabled the e-commerce portion of the LaCie website while we transition to a provider that specializes in secure payment processing services. We will resume accepting online orders once we have completed the transition.”
Security and data privacy are extremely important to LaCie, and we deeply regret that this happened. We are in the process of implementing additional security measures which will help to further secure our website. Additionally, we sent notifications to the individuals who may have been affected in order to inform them of what has transpired and that we are working closely and cooperatively with the credit card companies and federal authorities in their ongoing investigation.
It is unclear how many customer records and credit cards may have been accessed during the time that the site was compromised; Over said in his email that the company did not have any additional information to share at this time.
As I noted in a related story last month, Adobe ColdFusion vulnerabilities have given rise to a number of high profile attacks in the past. The same attackers who hit LaCie also were responsible for a breach at jam and jelly maker Smuckers, as well as Alpharetta, Ga. based credit card processor SecurePay.
In February, a hacker in the U.K. was charged with accessing computers at the Federal Reserve Bank of New York in October 2012 and stealing names, phone numbers and email addresses using ColdFusion flaws. According to this Business Week story, Lauri Love was arrested in connection with a sealed case which claims that between October 2012 and August 2013, Love hacked into computers belonging to the U.S. Department of Health and Human Services, the U.S. Sentencing Commission, Regional Computer Forensics Laboratory and the U.S. Department of Energy.
According to multiple sources with knowledge of the attackers and their infrastructure, this is the very same gang responsible for an impressive spree of high-profile break-ins last year, including:
-An intrusion at Adobe in which the attackers stole credit card data, tens of millions of customer records, and source code for most of Adobe’s top selling software (ColdFusion,Adobe Reader/Acrobat/Photoshop);
-A break-in targeting data brokers LexisNexis, Dun & Bradstreet, and Kroll.
-A hack against the National White Collar Crime Center, a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.

Google might reward secure websites with better ranking

Google Logo 
INTERNET SEARCH AND ADVERTISING GIANT Google is considering giving websites that use strong encryption preferential placement on its search listings.
Google senior engineer Matt Cutts has hinted at this, having spoken about about such a move. Cutts was talking at the SMX West conference in San Jose, California, when website hacking came up and he talked about Google responses to it.
He said that rewarding secure websites will save Google time whenever a fresh security panic sweeps the internet, according to Time magazine.
"We don't have the time to maybe hold your hand and walk you through and show you exactly where it happened," was what he reportedly said at the SMX event last month.
Cutts has also spoken in private about this, the Wall Street Journal reported. Google has remained mute on the topic.
No one is expecting the change to happen anytime soon, however Google is throwing resources at Heartbleed, which is a much more immediate issue,
Google is one of the few outfits that had prior knowledge of the OpenSSL vulnerability, and now, almost a week later, it is still reacting to it.
In an update to its Online Security blog it suggested that some of its users should establish new encryption keys immediately.
"In light of new research on extracting keys using the Heartbleed bug, we are recommending that Google Compute Engine (GCE) customers create new keys for any affected SSL services. Google Search Appliance (GSA) customers should also consider creating new keys after patching their GSA," it wrote yesterday.
"Engineers are working on a patch for the GSA, and the Google Enterprise Support Portal will be updated with the patch as soon as it is available."
In March, following PRISM revelations, Google began to step up encryption of its services, and applied extra security to email, searches and servers.

Google admits it's reading your emails

GOOGLE HAS UPDATED its privacy terms and conditions, eroding a little more of its users' privacy.
Google is so far unapologetic about its changes, despite having created some controversy. The bulk of the responses worry that Google is now able to read users' emails and scan them for its various purposes.
In its terms and conditions the firm said that its users agree that information that they submit and share with its systems is all fair game. Its update, the first since last November, makes the changes very clear.
"When you upload, or otherwise submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content," it said.
"The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services."
That is not a new bit, and that text was present in November. The new addition says that this reach is extending further.
"Our automated systems analyse your content (including emails) to provide you personally relevant product features, such as customised search results, tailored advertising, and spam and malware detection," it added. "This analysis occurs as the content is sent, received, and when it is stored."
Google told us that the changes are clarifying, but not really changing anything. "We want our policies to be simple and easy for users to understand," it said in a statement.
"These changes will give people even greater clarity and are based on feedback we've received over the last few months."
Last month as she considered a case against Google, US District Court Judge Lucy Koh explicitly said that many of the search firm's customers do not appreciate what the firm does with their information.
This would be in line with the view that Google put out in 2013. Then it said that its users should not expect any privacy protection.
Then Consumer Watchdog Privacy Project director John Simpson advised anyone that wants privacy to look elsewhere for email services.
"Google has finally admitted they don't respect privacy, People should take them at their word; if you care about your email correspondents' privacy don't use Gmail," he said.

Pentagon to triple its security workforce by 2016

Pentagon to triple its security workforce by 2016

Defense Secretary Chuck Hagel announced Pentagon efforts to strengthen its U.S. Cyber Command in coming years. By 2016, the Fort Meade, Md.-based military command expects to triple its security staff to 6,000 people, he said.
Hagel revealed the recruitment efforts late last month during a speech at the National Security Agency's (NSA) headquarters, according to a March PBS report. In the speech, Hagel also shared that the Pentagon's hiring plans included military and civilian candidates.
By this year's end, Hagel expects the Pentagon's cyber security workforce to stand at 1,800 individuals.
The move comes as the government attempts to thwart cyber espionage threats from China and elsewhere, as well as other cyber attacks that threaten national security or economic competitiveness.
In one measure to specifically stave off critical infrastructure attacks, the National Institute of Standards and Technology (NIST) released a cyber security framework to help aid organizations and operators. NIST unveiled the voluntary framework in February, which was designed to complement organizations' existing security management programs. The framework was intended to serve as a guidepost for a range of industries managing integral processes for the nation, from water treatment facilities and energy companies to the finance and healthcare sectors.
On Tuesday, Michael Daly, the CTO for Raytheon's cyber business, told SCMagazine.com that the government would likely have to do a lot of training, while partnering with private companies and educational institutions, to fill the demand for such jobs.
“It has to do with having the skills,” Daly said. “I think that when the jobs are there, the people with the skills are seeking them out and going after them. What we are seeing is a huge backlog as far as being able to hire people into these jobs. The number of security jobs have grown, but these jobs are taking a lot longer to fill.”
Last year, “The 2013 (ISC)2 Global Information Security Workforce Study," found that, among 12,000 information security professionals polled, 56 percent said that their organization was in need of more security workers.
In a Tuesday interview, W. Hord Tipton, executive director of training and certifying body (ISC)2, said that the government sometimes pays as high as 25 percent over the standard government salary for classified security jobs – but often the best candidates are lost by the lure of even higher-paying positions in the private sector.
“You lose your best talent to companies that are willing to pay more,” Tipton said.

Looking for malicious traffic in electrical SCADA networks - part 1

When infosec guys are performing intrusion detection, they usually look for attacks like portscans, buffer overflows and specific exploit signature. For example, remember OpenSSL heartbleed vulnerability? The following is the snort alert for this vulnerability, taken from the snort community rules:
alert tcp $EXTERNAL_NET any -> $HOME_NET [25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt"; flow:to_server,established; content:"|18 03 00|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30510; rev:5;)
When you perform inline detection within electrical SCADA networks, latency is a big issue. That means you need to fully optimize the amount of checks so latency does not increase more than 3 ms. We also need to include other threats that could materialize from other threats different to malware, exploits and buffer overflows. I will detail in this diary some specific SCADA protocol packets that could be malicious traffic and cause terrible consecuences to the process infrastructure. Today I will detail malicious packets from DNP3 protocol.
The following text details DNP3 packet structure:
DNP3 Frame
Source: Practical Industrial Data Communications
  • Start: This is the starting delimiter of the DNP3 datalink layer. It is always set to 0x564
  • Length: This is the number of bytes for user data inside the DNP3 packet, plus 5 and does not count CRC bytes.
  • Control: This is the DNP3 Frame Control Byte, which provides control of data flow between the master and slave over the physical link. It identifies the type of the message and the flow direction for the communication.
  • Destination: DNP3 outstations are identified by a two-byte address. These two bytes are the little-endian representation for the outstation destination address .
  • Source: These two bytes are the little-endian representation for the outstation source address
  • CRC: Little-endian representation of the CRC-16 DNP3. This is calculated for each block and placed in the end of it.
  • Transport control: This DNP3 Frame Control Byte provides control of data flow between the master and slave in the transport level.
  • Userdata for block n:
    • Application Layer: Control byte: Duplicates the control byte in the transport control field.
    • Application layer: Function code: Defines the function being invocated by the packet
    • Application layer: structures: Defines the structures being written or queried.
  • CRC: Little-endian representation of the CRC-16 DNP3 for block n user data.
The following DNP3 functions could be used in a malicious way:
1. DNP3 Warm Restart: When this packet is received by the outstation and recognize that it comes from the master, it performs a partial restart on completition of the communications sequence. If this packet is received several times per second, the IED will experiment a denial of service and won't be able to perform actions to the industrial process, send events to the HMI or receive commands from the HMI. A typical DNP3 Warm Restart packet looks like the following:
DNP3 Warm Restart
The following filters recognize these packets:
  • Wireshark: dnp3.al.func==14
  • Snort: alert tcp $DNP3_CLIENT any -> $DNP3_SERVER $DNP3_PORTS (flow:from_client,established; content:"|0E|"; offset:12; depth:1; msg:"SCADA_IDS: DNP3 Warm Restart From Authorized Client"; classtype:attempted-dos; sid:1111112; rev:1; priority:2;)
2. DNP3 Cold Restart: When this packet is received by the outstation and recognize that it comes from the master, it performs a full restart on completition of the communications sequence. If this packet is received several times per second, the IED will experiment a denial of service and won't be able to perform actions to the industrial process, send events to the HMI or receive commands from the HMI. Packet looks same as previous one with one little change: count three bytes from the last to the first and change 0E (DNP3 Warm Restart) to 0D (DNP3 Cold Restart).The following filters recognize these packets:
  • Wireshark: dnp3.al.func==13
  • Snort: alert tcp $DNP3_CLIENT any -> $DNP3_SERVER $DNP3_PORTS (flow:from_client,established; content:"|0D|"; offset:12; depth:1; msg:"SCADA_IDS: DNP3 Cold Restart From Authorized Client"; classtype:attempted-dos; sid:1111112; rev:1; priority:2;)
3. DNP3 Time Change: When this packet is received, the IED or RTU can change the internal clock time and so orders received with specific timestamp won't be executed and logs will be placed in other different places so the operator can't see them in real time. A typical DNP3 Warm Restart packet looks like the following:
DNP3 Time Packet
Wireshark can't fully filter this packets so the following tcpdump filter is provided: ip[52]=2 and ip[53]=0x32 and ip[54]=1
SCADA Information Security is different from the regular IT information security practices. We need to cover the specific vectors to improve the security level of the associated industrial process.

National Retail Federation Prioritizes Cybersecurity



Most Notable Info

Since news of the Target breach broke four months ago, it seems like more and more data breaches are happening with retailers. Any kind of data breach is scary and daunting, but when it comes to retail cybersecurity threats and our financial information being at risk, the threat feels bigger. When a hacker has found a way into your bank account and taken your money, the immediate impact is real.
The good news for retailers and consumers is that the National Retail Federation just announced that they are creating an industry information sharing and analysis center (ISAC) for retailers and merchants. What this program will do is “provide retailers cyber security information from government, law enforcement agencies, retailers, and partners in the financial services sector.” This is good news because this can help big and small businesses protect themselves and their customers from devastating data breaches.
With the retail community on board with sharing and collaborating on cybersecurity issues and protocols, they are also stressing the importance of knowing that there isn’t one solution to keep all cyber-attacks from being successful, “Implementing robust security solutions with innovative technologies and information sharing to protect consumer data and the integrity of our payment systems is a start, but we will always need to stay one step ahead of these determined criminals.”
Being proactive and aware of the threats that exist is a critical element in staying secure and protected.

On to the daily roundup...

IT Gravity 42, Risk 43
The Galaxy S5 is brand new, but the fingerprint scanner has already been hacked by the same "fake finger" method which works on iPhones. The permissions on the Samsung, however, mean this method could work after a reboot and even let an attacker use PayPal. If you use fingerprint authentication, keep some backstops in place.goo.gl/m30wiJ
Top Targets: Management Software- Orbit Open Ad Server

GOVERNMENT Gravity 19, Risk 21
The Canadian Revenue Agency reports that 900 taxpayers had their social insurance numbers exposed in a breach stemming from the infamous heartbleed exploit. In a statement, the agency said it is analyzing data to understand that breach. The CRA will notify individuals about the breach and offer free credit protection. goo.gl/xfyALY
Top Targets: Data- Social Insurance Numbers (SINs)

FINANCIALSGravity 13, Risk 19
The Bulgarian-based Bitcoin exchange BTC-e went down briefly Sunday after a DDoS attack on their server. The company made a statement that nothing was taken and that this DDoS attack was similar to previous attacks and "not special in anyway". bit.ly/1iT4Mpp
Top Targets: Financial Networks- Cryptocurrency exchanges

OTHER ORGANIZATIONSGravity 10, Risk 14
The Veterans of Foreign Wars Organization suffered a major data breach losing approximately 55,000 records to alleged Chinese hackers. The VFM knew about the breach in early March and informed affected veterans in a letter.bit.ly/1etFiml
Top Targets: Users- Anonymous members

CONSUMER GOODS Gravity 5, Risk 7
The National Retail Federation, the world’s largest retail trade association, plans to create an information sharing and analysis center that will help companies deal with cyber threats in the retail and merchant industry. It will be developed in partnership with the Financial Services Information Sharing and Analysis Center. goo.gl/VY6OxF
Top Targets: Mobile Device- News Corp. consumers phones

UTILITIES Gravity 1, Risk 6
A report from Connecticut state utility regulators reveals that electric, natural gas and water companies and regional distribution systems have been penetrated by hackers and other cyber attackers, but that defenses prevented interruption. The report does not specify incidents or elaborate publicly on security details.goo.gl/Or10Kf
Top Targets: Infrastructure- Crucial infrastructure

HEALTHCARE Gravity 1, Risk 3
Personal details of nearly 500,000 people who sought information about plastic surgery via the UK's Harley Medical Group’s website were stolen in an apparent bid to blackmail the company. The stolen details submitted by potential customers include phone numbers, email address and date of birth. goo.gl/hkrIXn
Top Targets: Patients- La Palma Intercommunity Hospital's patients

ENTERTAINMENT Gravity 2, Risk 2
Three major record labels are suing Russian social media website vKontakte. The labels claim the company fosters large scale music piracy. Sony Music Russia, Universal Music Russia, and Warner Music UK filed suit in court. The labels claim the site stores a user generated catalogue of music and has refused to a licensing deal. goo.gl/LtIiVj
Top Targets: Web Presence- Tens of pornographic websites

INDUSTRIALS Gravity 1, Risk 2
US Airways apologized for tweeting an explicit photo in response to a customer complaint. In a statement, the airline says it was trying to flag the image but it was mistakenly included. One social media mistake can harm your brand, especially if you are a small business. Therefore, managing social media is recommended. goo.gl/k6Gid8
Top Targets: Social Media Accounts- US Airways Twitter account

TELECOM Gravity 1, Risk 1
The internet is awash with various sites who may have been affected by heartbleed but very few go into detail about the appropriate mobile devices. Here is a comprehensive list of what heartbleed means to mobile devices and apps. Yes, your phone could have been or may be vulnerable as well. onforb.es/1gWS2wK
Top Targets: Users- AT&T Inc. website Apple iPad users

ENERGY Gravity 1, Risk 1
The New York Times released an article discussing watering hole attacks aimed at an unknown energy company. Hackers compromised a food takeout website popular with employees. The compromised website enabled the hackers to upload malicious code onto the victims computers, giving the attackers a foothold in the targeted network. goo.gl/sNtody
Top Targets: Desktop/Laptops-Oil company private computers

MATERIALS Gravity 0, Risk 0
On Sunday Anonymous attacked the Monsato Brazil website via a DDoS and took it offline. This is not the first attack Anonymous has conducted against Monsato. The hacktivist organization is protesting the use of GE Trees that they claim poisons land and displaces communities in Latin America. inagist.com/all/4478...

Researchers claim to hack fingerprint sensor on Samsung Galaxy S5

 

samsung galaxy s5 Security Research Labs says smartphone makers like Samsung need to implement biometric technology "in a way that does not put their users' crucial data and payment accounts at risk."

Well, that didn't take long.

Four days after Samsung released its long-awaited Galaxy S5, security researchers say they've already found a way to hack the smartphone's fingerprint sensor.
In a video posted Tuesday on YouTube, experts from Security Research Labs demonstrated an apparent breach of the S5 using similar tactics employed late last year to bypass the fingerprint lock on Apple's (AAPL, Fortune 500) iPhone 5s.
The group says it used a camera-phone photo of a fingerprint on a smartphone screen to create a "fake finger" sheet out of a wood-glue mold. That allowed them to access the S5's home screen and even send money via the PayPal app, which uses fingerprint authentication.
The cost to build a Samsung Galaxy S5
"Samsung does not seem to have learned from what others have done less poorly," Security Research Labs said.
"Incorporation of fingerprint authentication into highly sensitive apps such as PayPal gives a would-be attacker an even greater incentive to learn the simple skill of fingerprint spoofing."
Samsung (SSNLF) did not immediately respond to a request for comment.


In a statement Tuesday PayPal said it took the SRL findings "very seriously," but was "still confident that fingerprint authentication offers an easier and more secure way to pay on mobile devices than passwords or credit cards."
The company says it can quickly deactivate fingerprint keys on lost or stolen devices, and that users are covered in case of fraud by its purchase protection policy

'Heartbleed' hacking spree: Canadian tax agency says hundreds of IDs stolen

The Canada Revenue Agency website is seen on a computer screen displaying information about an internet security vulnerability called the "Heartbleed Bug" in Toronto, April 9, 2014. (Reuters / Mark Blinch)
The Canada Revenue Agency website is seen on a computer screen displaying information about an internet security vulnerability called the "Heartbleed Bug" in Toronto, April 9, 2014.

Canada Revenue Agency (CRA) has reported that the private information of about 900 people was stolen using the Heartbleed security bug. Experts are warning that more attacks may occur.
Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability,” the Canadian tax-collection authority said in a statement on Monday. “We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses that were also removed.
Reportedly, the CRA has so far been the only government agency to admit the data loss after news about the Heartbleed bug became public. The flaw was found in OpenSSL software used to encrypt about two-thirds of websites to secure data. Revealed to the public on Monday, April 7, the bug was feared to be one of the most serious security vulnerabilities in years.
The CRA shut its online services for several days last Tuesday. Unfortunately, it appeared the measure was too slow to prevent attacks by cyber criminals.
Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period,” the authority said.
The agency, according to its statement, informed the Privacy Commissioner of Canada of the breach on Friday and restored access to its online services on Sunday. However, it waited till Monday to publically confirm the attack.
The CRA “contacted our office last Friday afternoon to notify us about the attack and of the measures it was taking to mitigate risks and notify affected individuals," Valerie Lawton, a spokesperson for the Privacy Commissioner's Office said in a written statement, as cited by CBC News. The office latter added that the tax-collector said that “several hundred Canadians” had their SINs stolen from the agency's website as a result of the Heartbleed bug.
The incident also raised questions over the government’s response to the incident, with researchers in the Canadian online security community saying that the Heartbleed breach indicated that state agencies are often not as well equipped as private firms to react to online threats.
The government “was really slow on this,” Christopher Parsons, from the Citizen Lab at the Munk School of Global Affairs at the University of Toronto told CBC.
If you look at Yahoo, it had begun updating its security practices prior to the CRA fully taking action. The same thing with other larger companies. As soon as they saw what was going on, they immediately reacted and issued public statements,” he said.
The CRA said in their Monday statement that all those affected by the breach will receive registered letters as well as get access to credit protection services at no cost.
We will apply additional protections to their CRA accounts to prevent any unauthorized activity,” the authority said.
Meanwhile, a popular British website for parents, Mumsnet, urged users to change their passwords after the 'Heartbleed bug' had been used to access data from their accounts.
On Thursday April 10 we at MNHQ became aware of the bug and immediately ran tests to see if the Mumsnet servers were vulnerable. As soon as it became apparent that we were, we applied the fix to close the OpenSSL security hole (known as the Heartbleed patch). However, it seems that users' data was accessed prior to our applying this fix,” Mumsnet said.
The founder of the site, Justine Roberts, told the BBC that her own username and password were used to post a message online. According to Roberts, the hackers then told the website’s administrators that the attack was linked to Heartbleed and that the company’s data was not safe.
It is not yet clear why the cyber criminals picked the parental website as their target, as it does not deal with financial or confidential data. But as FT.com noted, people often use same passwords and user names on various websites and hackers may have sought to get those details to use on other sites later.

JP Morgan to invest £150 million on boosting cyber security

US bank JP Morgan has increased its budget for cyber security in reaction to an "unprecedented" threat faced in the past two years.
In a letter to shareholders last week, JP Morgan CEO Jamie Dimon said that the firm will spend close to $250 million (£149 million) on improving "cyber capabilities", up from $200 million the previous year.
"In our existing environment and at our company, cybersecurity attacks are becoming increasingly complex and more dangerous," said Dimon. "The threats are coming in not just from computer hackers trying to take over our systems and steal our data but also from highly coordinated external attacks both directly and via third-party systems."
Last year, the bank warned 465,000 customers using its prepaid cash cards that personal information may have been compromised, after it was targeted in a cyber attack. It has also been targeted by hacktivist groups such as the European Cyber Army and Martyr Izz ad-Din al-Qassam Cyber Fighters.
COO Matt Zames added in a separate letter that the number of attacks the bank has received from sophisticated criminals in recent years has been "unprecedented".
"Two years ago we saw a rise in 'denial of service' attacks aimed at disrupting the flow of financial transaction," he said.
"As the threats continue to grow and attacks continue to evolve, it's crucial that we evolve as well and focus on tomorrow's threats, as well as today's."
The investment in cyber security includes deployment of additional 'monitoring and protection' technology, as well as expanding the number of dedicated cybersecurity professional employed at the bank to a total of 600.
The bank will also build three 'state-of-the-art' Cyber Security Operations Centers at its regional headquarters to help coordinate responses to attacks. These will help pull together internal information from systems monitoring, combining with data from industry and government partners to offer a comprehensive view of threats.
JP Morgan's large IT estate includes 300,000 desktops, 58,000 servers in 32 data centres, with 26,000 data bases and 7,250 business applications. It also has nearly 30,000 programmers, app developers and other IT employees globally.

Everything you need to know about the Heartbleed bug - Part 4

What information can you get with a Heartbleed attack?

The Heartbleed attack works by tricking servers into leaking information stored in their memory. So any information handled by web servers is potentially vulnerable. That includes passwords, credit card numbers, medical records, and the contents of private email or social media messages.
Attackers can also get access to a server's private encryption key. That could allow the attacker to unscramble any private messages sent to the server and even impersonate the server.
 
 

Who might take advantage of the Heartbleed Bug?

Broadly speaking, there are two groups of people who might take advantage of Heartbleed: criminals and intelligence agencies.
For criminals, the most likely goal of a Heartbleed attack would be identity theft. By capturing a user's passwords, credit card numbers, and other credentials, the criminal could impersonate the user and engage in fraudulent financial transactions.
Intelligence agencies might have much broader goals. The US National Security Agency and its counterparts in Russia, China, and other world powers are constantly looking for opportunities to compromise the communications of military and civilian targets alike. Bloomberg has reported that the NSA discovered the Heartbleed Bug at least two years ago and "regularly used it to gather critical intelligence." The NSA has denied this claim.
The NSA is particularly well-positioned to take advantage of a vulnerability like Heartbleed because it has secret agreements with major internet service providers allowing it to intercept traffic as it flows through the internet backbone. If the agency used a Heartbleed attack to obtain a site's encryption keys, then it could intercept all of the site's communications even though the site was using SSL.
 

Everything you need to know about the Heartbleed bug - PART 3

Who discovered the vulnerability?

It was discovered independently by researchers at Codenomicon and Google Security. Codenomicon created a user-friendly website about the vulnerability, helping to rapidly spread awareness.
To minimize the damage from the disclosure, the researchers worked with the OpenSSL team and other key insiders to prepare fixes before the problem was announced publicly.


How did the Heartbleed bug get added to OpenSSL?

The flawed code was added to the experimental version of SSL at the end of 2011 and released to the public in March 2012. The flawed software patch was submitted by a German man named Robin Seggelmann.
"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," he told the Sydney Morning Herald. "In one of the new features, unfortunately, I missed validating a variable containing a length."
The submission was reviewed by an OpenSSL developer, but neither man noticed that the code could be exploited to trick servers into leaking the contents of memory.



Has anyone actually exploited the Heartbleed vulnerability?

We don't know. Security researchers have built proof-of-concept software to exploit the Heartbleed Bug. But so far, there have been no confirmed cases of malicious parties using the bug to steal user data.
However, that doesn't mean it's not happening. For the next few days, people will be on the lookout for suspicious activity. So hackers who steal users' passwords, credit card numbers, and other private data might decide to lie low for a while before trying to take advantage of this information. And when they do, we might not know if they got the information through a Heartbleed attack or some other tactic.

Everything you need to know about the Heartbleed bug -PART 2

What is SSL?

SSL, short for Secure Sockets Layer, is a family of encryption technologies that allows web users to protect the privacy of information they transmit over the internet.
When you visit a secure website such as Gmail.com, you'll see a lock next to the URL, indicating that your communications with the site are encrypted. Here's what that looks like in Google's Chrome browser:
Screen_shot_2014-04-08_at_10
That lock is supposed to signal that third parties won't be able to read any information you send or receive. Under the hood, SSL accomplishes that by transforming your data into a coded message that only the recipient knows how to decipher. If a malicious party is listening to the conversation, it will only see a seemingly random string of characters, not the contents of your emails, Facebook posts, credit card numbers, or other private information.
SSL was introduced by Netscape in 1994. In recent years, there has been a trend toward major online services to using encryption by default. Today, Google, Yahoo, and Facebook all use SSL encryption by default for their websites and online services.
When implemented correctly, SSL is believed to be highly secure. But in 2014 a number of problems were found in widely used SSL software. In February, a serious flaw was discovered in Apple's implementation of SSL. The next month a a flaw was found another SSL implementation that was popular with open source operating systems. The most serious vulnerability, known as Heartbleed, was discovered in April. It affects OpenSSL, which is installed on a majority of the world's web servers.

What's OpenSSL?

OpenSSL is software that allows computers to communicate using the SSL encryption standards. It's an open source project created and maintained by volunteers. First released in 1998, it has become one of the most popular SSL implementations in the world.
OpenSSL is widely used. One reason for this is that it has been incorporated into various other software products. For example, two of the most popular web servers software packages, known as Apache and nginx, both use OpenSSL to encrypt websites.
OpenSSL project currently lists just 15 active developers who contribute to the project on a volunteer basis. But not all changes to the OpenSSL software are written by these 15 people. Rather, these developers help to filter and organize suggested changes from a larger community of people who make occasional contributions.
Considering that high-profile commercial software projects often have dozens or even hundreds of people working on them, it's not surprising that the OpenSSL team didn't notice the subtle Heartbleed bug when they introduced a new version of the software in 2012.


How does the heartbleed attack work?

The SSL standard includes a "heartbeat" option, which provides a way for a computer at one end of the SSL connection to double-check that there's still someone at the other end of the line. This feature is useful because some internet routers will drop a connection if it's idle for too long. In a nutshell, the heartbeat protocol works like this:
Heartbleed_good
The heartbeat message has three parts: a request for acknowledgement, a short, randomly-chosen message (in this case, "banana"), and the number of characters in that message. The server is simply supposed to acknowledge having received the request and parrot back the message.
The Heartbleed attack takes advantage of the fact that the server can be too trusting. When someone tells it that the message has 6 characters, the server automatically sends back 6 characters in response. A malicious user can take take advantage of the server's gullibility:
Heartbleed_bad
Obviously, the word "giraffe" isn't 100 characters long. But the server doesn't bother to check before sending back its response, so it sends back 100 characters. Specifically, it sends back the 7-character word "giraffe" followed by whichever 93 characters happen to be stored after the word "giraffe" in the server's memory. Computers often store information in a haphazard order in an effort to pack them into its memory as tightly as possible, so there's no telling what information might be returned. In this case, the bit of memory after the word "giraffe" contained sensitive personal information belonging to user John Smith.
In the real Heartbleed attack, the attacker doesn't just ask for 100 characters. The attacker can ask for around 64,000 characters of plain text. And it doesn't just ask once, it can send malicious heartbeat messages over and over again, allowing the attacker to get back different fragments of the server's memory each time. In the process, it can gain a wealth of data that was never intended to be available to the public.
The fix for this problem is easy: the server just needs to be less trusting. Rather than blindly sending back as much data as is requested, the server needs to check that it's not being asked to send back more characters than it received in the first place. That's exactly what OpenSSL's fix for the Heartbleed Bug does.

Everything you need to know about the Heartbleed bug - PART 1

What is the Heartbleed Bug?

The Heartbleed bug is a serious flaw in OpenSSL, encryption software that powers a lot of secure communications on the web. It was announced by computer security researchers on April 7, 2014.
Here's how it works: the SSL standard includes a heartbeat option, which allows a computer at one end of an SSL connection to send a short message to verify that the other computer is still online and get a response back. Researchers found that it's possible to send a cleverly formed, malicious heartbeat message that tricks the computer at the other end into divulging secret information. Specifically, a vulnerable computer can be tricked into transmitting the contents of the server's memory, known as RAM.
Ed Felten, a computer scientist at Princeton (and, disclosure, my former graduate advisor) says that attackers using the technique can "sort through that information by doing pattern matching to try to find secret keys, passwords, and personal information like credit card numbers."
I don't need to explain why exposing passwords and credit card numbers could be harmful. But exposing secret keys can be even worse. This is the information servers use to unscramble encrypted information it receives. If an attacker obtains a server's private keys, it can read any information sent to it. It may even be able to use the secret key to impersonate the server, tricking users into divulging their password and other sensitive information.
SInce the bug was announced, website operators have scrambled to update their software and take other precautions required to secure their sites. The precise number of affected websites isn't known, but the vulnerability is believed to affect a significant fraction of all secure sites on the web.
Because the Heartbleed attack is generally focused on servers, there is nothing users can do to protect themselves when using a vulnerable website. But once a secure website has fixed the problem, it's important for user to update their software to ensure that previously-captured passwords are not used for malicious purposes.

What is the Heartbleed Bug?

The Heartbleed bug is a serious flaw in OpenSSL, encryption software that powers a lot of secure communications on the web. It was announced by computer security researchers on April 7, 2014.
Here's how it works: the SSL standard includes a heartbeat option, which allows a computer at one end of an SSL connection to send a short message to verify that the other computer is still online and get a response back. Researchers found that it's possible to send a cleverly formed, malicious heartbeat message that tricks the computer at the other end into divulging secret information. Specifically, a vulnerable computer can be tricked into transmitting the contents of the server's memory, known as RAM.
Ed Felten, a computer scientist at Princeton (and, disclosure, my former graduate advisor) says that attackers using the technique can "sort through that information by doing pattern matching to try to find secret keys, passwords, and personal information like credit card numbers."
I don't need to explain why exposing passwords and credit card numbers could be harmful. But exposing secret keys can be even worse. This is the information servers use to unscramble encrypted information it receives. If an attacker obtains a server's private keys, it can read any information sent to it. It may even be able to use the secret key to impersonate the server, tricking users into divulging their password and other sensitive information.
SInce the bug was announced, website operators have scrambled to update their software and take other precautions required to secure their sites. The precise number of affected websites isn't known, but the vulnerability is believed to affect a significant fraction of all secure sites on the web.
Because the Heartbleed attack is generally focused on servers, there is nothing users can do to protect themselves when using a vulnerable website. But once a secure website has fixed the problem, it's important for user to update their software to ensure that previously-captured passwords are not used for malicious purposes.


Which websites are affected?

Affected companies include Tumblr, Google, Yahoo, Intuit (makers of TurboTax), Dropbox, and Facebook, though all these companies say they've fixed the problem. Amazon.com was not affected, but Amazon Web Services, which is used by a huge number of smaller websites, was. Microsoft, PayPal, LinkedIn, and AOL say they weren't affected. Twitter, eBay, Netflix, and Apple have not made a clear statement one way or the other.
Most banking and investment sites, including Bank of America, Chase, E-Trade, Fidelity, PNC, Schwab, US Bank, and Wells Fargo, were not affected. This might be because these companies use encryption software other than OpenSSL, or it might be because they haven't been upgrading to the latest version. Ironically, companies who were running a version of OpenSSL more than two years old were not affected by the Heartbleed bug.

Hackers prepping for OpenSSL Heartbleed attacks

While security pros hustle to patch Web sites affected by the widespread OpenSSL flaw nicknamed Heartbleed, there are indications that cybercriminals are hoping to beat them to the punch.
A list of more than 10,000 domains that were vulnerable, patched or unaffected by the bug was found on Pastebin by Easy Solutions. The fraud prevention company believes hackers are most likely behind the list.
"A lot of time what these guys will do is dump a list of inventory on Pastebin, cut that link and then share the link with their friends on a (underground) forum," Daniel Ingevaldson, chief technology officer for Easy Solutions, said. "So, it's essentially a billboard for a service."
Wide-scale scanning for vulnerable sites is underway across the Internet, Ingevaldson said. Much of the scanning is being done for legitimate reasons, while the rest is by hackers looking for potential victims.
"We're seeing a systematic canvassing of the entire Internet right now to see what's vulnerable and what isn't," Ingevaldson said. "It's a bit of a gold rush."
Many free scanning tools are available on the Web to test sites for the flawed OpenSSL library, which has been in use for about two years. OpenSSL is the open source implementation of Secure Sockets Layer, which is used to encrypt communications between a web browser and server. The vulnerability makes it possible to read the memory of the server and steal credentials, passwords and other data.
At least a half million servers, or 17 percent of secure websites, were reportedly vulnerable, presenting a large target for cybercriminals who reach the sites before their operators can apply the freely available patch.
However, finding a vulnerable site is much easier than exploiting the flaw, experts say. But while it may be fairly difficult now, hackers share information and toolkits, which may make the task easier in the future.
Websites are not the only entities vulnerable to an OpenSSL attack. Cloud-based apps are also potential targets. Netskope, a cloud app analytics company, has a running tally of vulnerable apps that are used by enterprises. The company's list had reached 100 as of Thursday.