Thursday, December 18, 2014

Banks allow phishers to log in using Tor



The Financial Crimes Enforcement Network (FinCEN), a department of the US Treasury that combats financial crimes such as fraud and money laundering, recently released a report stating that "nearly $24 million in likely fraudulent activity" involved known Tor network nodes. The proportion of fraud that involves Tor is increasing rapidly: according to the report, October 2007 to March 2013 saw an increase of 50% in Tor-related fraud reports, whereas the most recent and much shorter period of March 2013 to July 2014 saw an increase of 100%. The report, which is not public, was obtained by computer security journalist Brian Krebs.

Tor is a piece of open-source software that attempts to provide online anonymity using a technique known as "onion routing". Messages sent by the user, such as HTTP requests from the user's web browser, are sent across the Tor network, instead of being sent directly to the destination server. Before a user sends a message, it is encrypted several times, along with information describing how the message should be routed through a virtual circuit across the Tor network. Circuits consist of a series of three randomly-selected Tor nodes: an entry node, a middle node and an exit node. The user's traffic enters the Tor network at the entry node. Each successive node is able to remove a single layer of encryption, which also reveals the next node to send the message to – akin to peeling the layers of an onion. When the message reaches the exit node, the final layer of encryption is removed and it is sent out across the Internet to its final destination. A similar procedure applies to messages travelling in the opposite direction back to the user, such as HTTP responses.


Banks allow phishers to log in using Tor



The Financial Crimes Enforcement Network (FinCEN), a department of the US Treasury that combats financial crimes such as fraud and money laundering, recently released a report stating that "nearly $24 million in likely fraudulent activity" involved known Tor network nodes. The proportion of fraud that involves Tor is increasing rapidly: according to the report, October 2007 to March 2013 saw an increase of 50% in Tor-related fraud reports, whereas the most recent and much shorter period of March 2013 to July 2014 saw an increase of 100%. The report, which is not public, was obtained by computer security journalist Brian Krebs.

Tor is a piece of open-source software that attempts to provide online anonymity using a technique known as "onion routing". Messages sent by the user, such as HTTP requests from the user's web browser, are sent across the Tor network, instead of being sent directly to the destination server. Before a user sends a message, it is encrypted several times, along with information describing how the message should be routed through a virtual circuit across the Tor network. Circuits consist of a series of three randomly-selected Tor nodes: an entry node, a middle node and an exit node. The user's traffic enters the Tor network at the entry node. Each successive node is able to remove a single layer of encryption, which also reveals the next node to send the message to – akin to peeling the layers of an onion. When the message reaches the exit node, the final layer of encryption is removed and it is sent out across the Internet to its final destination. A similar procedure applies to messages travelling in the opposite direction back to the user, such as HTTP responses.


Wednesday, December 17, 2014

Apple Cider Vinegar Detox

12 ounce glass of water

5 Tbsp. Apple Cider Vinegar
1 tsp. ground cinnamon
4 Tbsp. lemon juice
1 pinch red pepper

Mix

Apple Cider Vinegar Detox

12 ounce glass of water

5 Tbsp. Apple Cider Vinegar
1 tsp. ground cinnamon
4 Tbsp. lemon juice
1 pinch red pepper

Mix

Tuesday, December 2, 2014

FDIC: What to Expect in New Guidance


When the Federal Financial Institutions Examination Council releases new cybersecurity guidance, it will address specific types of cyber-attacks and threats, according to examination specialists from the Federal Deposit Insurance Corp., one of the FFIEC's regulatory agencies.

See Also: Threat Intelligence: Real-Time Breach Discovery

During a Nov. 20 community banking advisory committee meeting, members of the FDIC's Division of Risk said future IT examinations for banking institutions of all sizes will include reviews of specific cybersecurity initiatives, such as employee awareness and training, as well as software and operating system patching.

FDIC: What to Expect in New Guidance


When the Federal Financial Institutions Examination Council releases new cybersecurity guidance, it will address specific types of cyber-attacks and threats, according to examination specialists from the Federal Deposit Insurance Corp., one of the FFIEC's regulatory agencies.

See Also: Threat Intelligence: Real-Time Breach Discovery

During a Nov. 20 community banking advisory committee meeting, members of the FDIC's Division of Risk said future IT examinations for banking institutions of all sizes will include reviews of specific cybersecurity initiatives, such as employee awareness and training, as well as software and operating system patching.

Tuesday, November 25, 2014

Adobe Releases Security Updates for Flash Player



Adobe has released security updates to address a vulnerability in Flash Player which could potentially allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review Adobe Security Bulletin APSB14-26(link is external) and apply the necessary updates.

Adobe Releases Security Updates for Flash Player



Adobe has released security updates to address a vulnerability in Flash Player which could potentially allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review Adobe Security Bulletin APSB14-26(link is external) and apply the necessary updates.

NC Attorney General warns of scammers posing as Duke Energy


RALEIGH, N.C. — North Carolina’s attorney general is warning Duke Energy customers to watch for a new phone scam in which the caller claims the customer’s power bill is overdue, according to a recent press release.




Attorney General Roy Cooper said the scammers are calling Duke Energy customers saying their power will be cut off if they don’t pay their bill immediately.

“Scammers continue to make calls threatening consumers and small businesses to pay up or lose power, and we’re concerned that the cold weather will give their threats extra force,” Cooper said.

Cooper says “Duke Energy” shows up on the caller ID and the victims are told to pay their bill by putting money onto a prepaid card.


NC Attorney General warns of scammers posing as Duke Energy


RALEIGH, N.C. — North Carolina’s attorney general is warning Duke Energy customers to watch for a new phone scam in which the caller claims the customer’s power bill is overdue, according to a recent press release.




Attorney General Roy Cooper said the scammers are calling Duke Energy customers saying their power will be cut off if they don’t pay their bill immediately.

“Scammers continue to make calls threatening consumers and small businesses to pay up or lose power, and we’re concerned that the cold weather will give their threats extra force,” Cooper said.

Cooper says “Duke Energy” shows up on the caller ID and the victims are told to pay their bill by putting money onto a prepaid card.


Docker has released a critical security advisory



Docker has released a critical security advisory to address vulnerabilities in Docker versions prior to version 1.3.2, one of which could allow an attacker to escalate privileges and execute remote code on an affected system.


US-CERT encourages users and administrators to review Docker's Security Advisory(link is external) and apply the necessary updates.



Docker has released a critical security advisory



Docker has released a critical security advisory to address vulnerabilities in Docker versions prior to version 1.3.2, one of which could allow an attacker to escalate privileges and execute remote code on an affected system.


US-CERT encourages users and administrators to review Docker's Security Advisory(link is external) and apply the necessary updates.



Wednesday, November 19, 2014

Microsoft Releases Out-of-Band Security Bulletin for Windows Kerberos Vulnerability



Microsoft has released security updates to address a remote elevation of privilege vulnerability which exists in implementations of Kerberos KDC in Microsoft Windows. Exploitation of this vulnerability could allow a remote attacker to take control of an affected system.




US-CERT encourages users and administrators to review Microsoft Security Bulletin MS14-068(link is external) , Vulnerability NoteVU#213119, and Alert TA14-323A for additional details, and apply the necessary updates.

Microsoft Releases Out-of-Band Security Bulletin for Windows Kerberos Vulnerability



Microsoft has released security updates to address a remote elevation of privilege vulnerability which exists in implementations of Kerberos KDC in Microsoft Windows. Exploitation of this vulnerability could allow a remote attacker to take control of an affected system.




US-CERT encourages users and administrators to review Microsoft Security Bulletin MS14-068(link is external) , Vulnerability NoteVU#213119, and Alert TA14-323A for additional details, and apply the necessary updates.

Microsoft Windows Kerberos KDC Remote Privilege Escalation Vulnerability



Systems Affected

Microsoft Windows Vista, 7, 8, and 8.1
Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2
Overview


A remote escalation of privilege vulnerability exists in implementations of Kerberos Key Distribution Center (KDC) in Microsoft Windows which could allow a remote attacker to take control of a vulnerable system. [1(link is external)]
Description


The Microsoft Windows Kerberos KDC fails to properly check service tickets for valid signatures, which can allow aspects of the service ticket to be forged. The improper check allows an attacker to escalate valid domain user account privileges to those of a domain administrator account, which renders the entire domain vulnerable to compromise.

At the time this release was issued, Microsoft was aware of limited, targeted attacks attempting to exploit this vulnerability.
Impact


A valid domain user can pass invalid domain administrator credentials, gain access and compromise any system on the domain, including the domain controller. [2]
Solution


An update is available from Microsoft. Please see Microsoft Security Bulletin MS14-068 and Microsoft Research Security and Defense Blog for more details, and apply the necessary updates.[1(link is external), 3(link is external)]
References

Microsoft Security Bulletin MS14-068(link is external)
Vulnerability Note VU#213119
Microsoft Security Research and Defense Blog(link is external)
Revisions



November 19, 2014: Initial Draft

Microsoft Windows Kerberos KDC Remote Privilege Escalation Vulnerability



Systems Affected

Microsoft Windows Vista, 7, 8, and 8.1
Microsoft Server 2003, Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2
Overview


A remote escalation of privilege vulnerability exists in implementations of Kerberos Key Distribution Center (KDC) in Microsoft Windows which could allow a remote attacker to take control of a vulnerable system. [1(link is external)]
Description


The Microsoft Windows Kerberos KDC fails to properly check service tickets for valid signatures, which can allow aspects of the service ticket to be forged. The improper check allows an attacker to escalate valid domain user account privileges to those of a domain administrator account, which renders the entire domain vulnerable to compromise.

At the time this release was issued, Microsoft was aware of limited, targeted attacks attempting to exploit this vulnerability.
Impact


A valid domain user can pass invalid domain administrator credentials, gain access and compromise any system on the domain, including the domain controller. [2]
Solution


An update is available from Microsoft. Please see Microsoft Security Bulletin MS14-068 and Microsoft Research Security and Defense Blog for more details, and apply the necessary updates.[1(link is external), 3(link is external)]
References

Microsoft Security Bulletin MS14-068(link is external)
Vulnerability Note VU#213119
Microsoft Security Research and Defense Blog(link is external)
Revisions



November 19, 2014: Initial Draft

Friday, November 14, 2014

Microsoft Secure Channel (Schannel) Vulnerability (CVE-2014-6321)



11/14/2014 10:32 AM EST






Original release date: November 14, 2014

Systems Affected
Microsoft Windows Server 2003 SP2
Microsoft Windows Vista SP2
Microsoft Windows Server 2008 SP2
Microsoft Windows Server 2008 R2 SP1
Microsoft Windows 7 SP1
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows RT
Microsoft Windows RT 8.1

Microsoft Windows XP and 2000 may also be affected.
Overview

A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network traffic.[1]
Description

Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms.[2, 3] Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.[1]

It may be possible for exploitation to occur without authentication and via unsolicited network traffic. According to Microsoft MS14-066, there are no known mitigations or workarounds.[2]

Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks.[4] An anonymous Pastebin user has threatened to publish an exploit on Friday, November 14, 2014.[5]
Impact

This flaw allows a remote attacker to execute arbitrary code and fully compromise vulnerable systems.[6]
Solution

Microsoft has released Security Bulletin MS14-066 to address this vulnerability in supported operating systems.[2]
References
[1] NIST Vulnerability Summary for CVE-2014-6321
[2] Microsoft Security Bulletin MS14-066 - Critical
[3] Microsoft, Secure Channel
[4] Reddit, Microsoft Security Bulletin MS14-066
[5] Pastebin, SChannelShenanigans
[6] Winshock.txt
Revision History
November 14, 2014: Initial Release

Microsoft Secure Channel (Schannel) Vulnerability (CVE-2014-6321)



11/14/2014 10:32 AM EST






Original release date: November 14, 2014

Systems Affected
Microsoft Windows Server 2003 SP2
Microsoft Windows Vista SP2
Microsoft Windows Server 2008 SP2
Microsoft Windows Server 2008 R2 SP1
Microsoft Windows 7 SP1
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows RT
Microsoft Windows RT 8.1

Microsoft Windows XP and 2000 may also be affected.
Overview

A critical vulnerability in Microsoft Windows systems could allow a remote attacker to execute arbitrary code via specially crafted network traffic.[1]
Description

Microsoft Secure Channel (Schannel) is a security package that provides SSL and TLS on Microsoft Windows platforms.[2, 3] Due to a flaw in Schannel, a remote attacker could execute arbitrary code on both client and server applications.[1]

It may be possible for exploitation to occur without authentication and via unsolicited network traffic. According to Microsoft MS14-066, there are no known mitigations or workarounds.[2]

Microsoft patches are typically reverse-engineered and exploits developed in a matter of days or weeks.[4] An anonymous Pastebin user has threatened to publish an exploit on Friday, November 14, 2014.[5]
Impact

This flaw allows a remote attacker to execute arbitrary code and fully compromise vulnerable systems.[6]
Solution

Microsoft has released Security Bulletin MS14-066 to address this vulnerability in supported operating systems.[2]
References
[1] NIST Vulnerability Summary for CVE-2014-6321
[2] Microsoft Security Bulletin MS14-066 - Critical
[3] Microsoft, Secure Channel
[4] Reddit, Microsoft Security Bulletin MS14-066
[5] Pastebin, SChannelShenanigans
[6] Winshock.txt
Revision History
November 14, 2014: Initial Release

Monday, November 10, 2014

Microsoft Ending Support for Windows Server 2003 Operating System



Systems Affected

Microsoft Windows Server 2003 operating system
Overview


Microsoft is ending support for the Windows Server 2003 operating system on July 14, 2015.[1](link is external) After this date, this product will no longer receive:
Security patches that help protect PCs from harmful viruses, spyware, and other malicious software
Assisted technical support from Microsoft
Software and content updates
Description


All software products have a lifecycle. End of support refers to the date when Microsoft will no longer provide automatic fixes, updates, or online technical assistance.[2](link is external) As of July 2014, there were 12 million physical servers worldwide still running Windows Server 2003.[3](link is external)
Impact


Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.

Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows Server 2003.

Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003.
Solution


Computers running the Windows Server 2003 operating system will continue to work after support ends. However, using unsupported software may increase the risks of viruses and other security threats. Negative consequences could include loss of confidentiality, integrity, and or availability of data, system resources and business assets.

The Microsoft "Microsoft Support Lifecycle Policy FAQ" page offers additional details.[2](link is external)

Users have the option to upgrade to a currently supported operating system or other cloud-based services. There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows Server 2003 to a currently supported operating system or SaaS (software as a service) / IaaS (infrastructure as a service) products and services.[4(link is external),5(link is external)] US-CERT does not endorse or support any particular product or vendor.
References

[1] Microsoft Product Lifecycle Listing(link is external)
[2] Microsoft Support Lifecycle Policy FAQ(link is external)
[3] Redmond Magazine, Prepare for Windows Server 2003's End of Support(link is external)
[4] Windows Server 2003 Migration Support(link is external)
[5] TechTarget, Weighing next steps following Windows Server 2003 end-of-life(link is external)
Revisions



November 10, 2014: Initial Release

Microsoft Ending Support for Windows Server 2003 Operating System



Systems Affected

Microsoft Windows Server 2003 operating system
Overview


Microsoft is ending support for the Windows Server 2003 operating system on July 14, 2015.[1](link is external) After this date, this product will no longer receive:
Security patches that help protect PCs from harmful viruses, spyware, and other malicious software
Assisted technical support from Microsoft
Software and content updates
Description


All software products have a lifecycle. End of support refers to the date when Microsoft will no longer provide automatic fixes, updates, or online technical assistance.[2](link is external) As of July 2014, there were 12 million physical servers worldwide still running Windows Server 2003.[3](link is external)
Impact


Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.

Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows Server 2003.

Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003.
Solution


Computers running the Windows Server 2003 operating system will continue to work after support ends. However, using unsupported software may increase the risks of viruses and other security threats. Negative consequences could include loss of confidentiality, integrity, and or availability of data, system resources and business assets.

The Microsoft "Microsoft Support Lifecycle Policy FAQ" page offers additional details.[2](link is external)

Users have the option to upgrade to a currently supported operating system or other cloud-based services. There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows Server 2003 to a currently supported operating system or SaaS (software as a service) / IaaS (infrastructure as a service) products and services.[4(link is external),5(link is external)] US-CERT does not endorse or support any particular product or vendor.
References

[1] Microsoft Product Lifecycle Listing(link is external)
[2] Microsoft Support Lifecycle Policy FAQ(link is external)
[3] Redmond Magazine, Prepare for Windows Server 2003's End of Support(link is external)
[4] Windows Server 2003 Migration Support(link is external)
[5] TechTarget, Weighing next steps following Windows Server 2003 end-of-life(link is external)
Revisions



November 10, 2014: Initial Release

Thursday, November 6, 2014

FBI arrests Blake “Defcon” Benthall, alleged operator of Silk Road 2.0



The FBI announced that yesterday it arrested Blake Benthall, aka "Defcon," the alleged owner and operator of Silk Road 2.0. Benthall was apprehended in San Francisco and will be presented today in a federal court in SF before Magistrate Judge Jaqueline Scott Corley.

“As alleged, Blake Benthall attempted to resurrect Silk Road, a secret website that law enforcement seized last year, by running Silk Road 2.0, a nearly identical criminal enterprise," Manhattan US Attorney Preet Bharara said in a statement. "Let’s be clear—this Silk Road, in whatever form, is the road to prison. Those looking to follow in the footsteps of alleged cybercriminals should understand that we will return as many times as necessary to shut down noxious online criminal bazaars. We don’t get tired.”

FBI arrests Blake “Defcon” Benthall, alleged operator of Silk Road 2.0



The FBI announced that yesterday it arrested Blake Benthall, aka "Defcon," the alleged owner and operator of Silk Road 2.0. Benthall was apprehended in San Francisco and will be presented today in a federal court in SF before Magistrate Judge Jaqueline Scott Corley.

“As alleged, Blake Benthall attempted to resurrect Silk Road, a secret website that law enforcement seized last year, by running Silk Road 2.0, a nearly identical criminal enterprise," Manhattan US Attorney Preet Bharara said in a statement. "Let’s be clear—this Silk Road, in whatever form, is the road to prison. Those looking to follow in the footsteps of alleged cybercriminals should understand that we will return as many times as necessary to shut down noxious online criminal bazaars. We don’t get tired.”

Wednesday, November 5, 2014

Google Releases Tool For Finding TLS/SSL Vulnerabilities and Misconfigurations



Google has released a new network traffic security testing tool that can be used to check if devices and applications are impacted by Transport Layer Security/ Secure Sockets Layer (TLS/SSL) vulnerabilities and if the cryptographic protocols are configured correctly.

The tool, dubbed Nogotofail, has been used internally by the Android Security Team for some time. However, on Tuesday, it was released as an open source project to allow anyone to test their applications and contribute to making the tool better.

"Nogotofail works for Android, iOS, Linux, Windows, Chrome OS, OSX, in fact any device you use to connect to the Internet. There’s an easy-to-use client to configure the settings and get notifications on Android and Linux, as well as the attack engine itself which can be deployed as a router, VPN server, or proxy," Android Security Engineer Chad Brubaker, one of the tool's developers, wrote in a post on the Google Online Security blog.

Google Releases Tool For Finding TLS/SSL Vulnerabilities and Misconfigurations



Google has released a new network traffic security testing tool that can be used to check if devices and applications are impacted by Transport Layer Security/ Secure Sockets Layer (TLS/SSL) vulnerabilities and if the cryptographic protocols are configured correctly.

The tool, dubbed Nogotofail, has been used internally by the Android Security Team for some time. However, on Tuesday, it was released as an open source project to allow anyone to test their applications and contribute to making the tool better.

"Nogotofail works for Android, iOS, Linux, Windows, Chrome OS, OSX, in fact any device you use to connect to the Internet. There’s an easy-to-use client to configure the settings and get notifications on Android and Linux, as well as the attack engine itself which can be deployed as a router, VPN server, or proxy," Android Security Engineer Chad Brubaker, one of the tool's developers, wrote in a post on the Google Online Security blog.

Tuesday, November 4, 2014

Undercover Video Allegedly Shows How Easy It Is to Commit Voter Fraud in North Carolina



Controversial, undercover filmmaker James O’Keefe has released a new video alleging he was offered ballots in North Carolina “some 20 times” by giving election officials the names of inactive voters.

In the video (originally released to the Daily Mail), O’Keefe says there are over 700,000 such voters in the state, “which creates a recipe for voter fraud on a massive scale.” He set out to show just what that fraud might look like by visiting numerous early voting places.

Undercover Video Allegedly Shows How Easy It Is to Commit Voter Fraud in North Carolina



Controversial, undercover filmmaker James O’Keefe has released a new video alleging he was offered ballots in North Carolina “some 20 times” by giving election officials the names of inactive voters.

In the video (originally released to the Daily Mail), O’Keefe says there are over 700,000 such voters in the state, “which creates a recipe for voter fraud on a massive scale.” He set out to show just what that fraud might look like by visiting numerous early voting places.

Smart offers mobile-based protection against ATM, credit card fraud



MANILA – A unit of Smart Communications Inc has launched an anti-fraud security service aimed at minimizing ATM and credit card scams.

A service of Smart e-Money Inc, “LockByMobile” allows mobile subscribers to lock and unlock accounts at different levels—by account, by channel, or by transaction settings.

Using the company’s proprietary, patented and Payment Card Industry-Data Security Standard certified platform, this mobile application can be downloaded via Google Play or Apple Store. This will be made available to card issuers worldwide using smartphones provided by any mobile network operator.

Its patented features include enabling the cardholder to lock or unlock the account by transaction or by channel. Through locking by transaction, a cardholder can set an amount threshold; limit the types of merchants where the card can be used; and limit transactions to certain countries and currencies. This will come in handy when the cardholder travels overseas.

LockByMobile also has built-in fraud alert mechanisms that are preventive rather than reactive, ensuring that a transaction will not push through unless it is within the security setting set by the cardholder.

"It's an innovative mobile financial solution that we've developed to address a common pain point of any cardholder—that of having the power to protect one's card accounts in a simple but powerful and convenient way. Having that additional layer of security can give the customer peace of mind," Orlando B. Vea, Smart e-Money president, said in a statement.

Smart offers mobile-based protection against ATM, credit card fraud



MANILA – A unit of Smart Communications Inc has launched an anti-fraud security service aimed at minimizing ATM and credit card scams.

A service of Smart e-Money Inc, “LockByMobile” allows mobile subscribers to lock and unlock accounts at different levels—by account, by channel, or by transaction settings.

Using the company’s proprietary, patented and Payment Card Industry-Data Security Standard certified platform, this mobile application can be downloaded via Google Play or Apple Store. This will be made available to card issuers worldwide using smartphones provided by any mobile network operator.

Its patented features include enabling the cardholder to lock or unlock the account by transaction or by channel. Through locking by transaction, a cardholder can set an amount threshold; limit the types of merchants where the card can be used; and limit transactions to certain countries and currencies. This will come in handy when the cardholder travels overseas.

LockByMobile also has built-in fraud alert mechanisms that are preventive rather than reactive, ensuring that a transaction will not push through unless it is within the security setting set by the cardholder.

"It's an innovative mobile financial solution that we've developed to address a common pain point of any cardholder—that of having the power to protect one's card accounts in a simple but powerful and convenient way. Having that additional layer of security can give the customer peace of mind," Orlando B. Vea, Smart e-Money president, said in a statement.

Saturday, November 1, 2014

Facebook just created a new Tor link for users who wish to remain anonymous



Facebook just took the surprising step of adding a way for users of the free anonymizing software Tor to access the social network directly. Tor is an open source project that launched in 2002 to provide a way for people to access the internet without sharing identifying information such as their IP address and physical location with websites and their service providers. People who download the free Tor software can visit websites while keeping the actual location of their computer and its make and model secret. While Tor users could previously access Facebook before today, it often loaded irregularly with incorrectly displayed fonts and sometimes didn't load at all, because Facebook's security features treated Tor as a botnet — a collection of computers designed to attack it.

Facebook just created a new Tor link for users who wish to remain anonymous



Facebook just took the surprising step of adding a way for users of the free anonymizing software Tor to access the social network directly. Tor is an open source project that launched in 2002 to provide a way for people to access the internet without sharing identifying information such as their IP address and physical location with websites and their service providers. People who download the free Tor software can visit websites while keeping the actual location of their computer and its make and model secret. While Tor users could previously access Facebook before today, it often loaded irregularly with incorrectly displayed fonts and sometimes didn't load at all, because Facebook's security features treated Tor as a botnet — a collection of computers designed to attack it.

Don't Fall for This Walmart Mystery Shopper Scam



When Janelle Martin and her husband, James, recently received a check for $1,991.62 that appeared to be from Walmart, her jaw dropped. “That’s an awful lot of money to receive in the mail,” she says. But her excitement quickly faded to skepticism when she read the letter that accompanied the check.
SEE ALSO: 10 Legitimate Work-at-Home Jobs

The letter asked them to register the check they received online, then deposit it in their bank account and use some of the money to complete a mystery shopping assignment. Although there are legitimate mystery shopping opportunities, the Martins were seeing red flags. The check supposedly was issued by Wachovia, which was bought by Wells Fargo in 2008 and no longer offers accounts under the Wachovia name. And a little searching on the Internet by the Martins turned up complaints about similar checks and letters.


What seemed like a windfall actually was a scam.

Don't Fall for This Walmart Mystery Shopper Scam



When Janelle Martin and her husband, James, recently received a check for $1,991.62 that appeared to be from Walmart, her jaw dropped. “That’s an awful lot of money to receive in the mail,” she says. But her excitement quickly faded to skepticism when she read the letter that accompanied the check.
SEE ALSO: 10 Legitimate Work-at-Home Jobs

The letter asked them to register the check they received online, then deposit it in their bank account and use some of the money to complete a mystery shopping assignment. Although there are legitimate mystery shopping opportunities, the Martins were seeing red flags. The check supposedly was issued by Wachovia, which was bought by Wells Fargo in 2008 and no longer offers accounts under the Wachovia name. And a little searching on the Internet by the Martins turned up complaints about similar checks and letters.


What seemed like a windfall actually was a scam.

Tuesday, October 28, 2014

Fidelity National Financial warns of data leak after phishing attack



Fidelity National Financial has been contacting an “undisclosed number of individuals”, notifying them that a selection of personal data may have been exposed after some of the Fortune 500 company’s employees had their email accounts targeted by a phishing campaign, SC Magazine reports.

The personal information includes Social Security numbers, bank account numbers, driver’s license numbers and payment card numbers, but at this stage Fidelity National Financial (FNF) has not revealed how many individuals may have been exposed in the breach, which was caused by a phishing campaign that targeted a ‘small number of employee’s’ email accounts.

Federal law enforcers have been informed, and a third-party security expert has been brought in to scope out the nature and extent of the attack. Steps have also been put in place to stop similar events occurring in the future, including enhanced security on email accounts and information and training available to employees.


Fidelity National Financial warns of data leak after phishing attack



Fidelity National Financial has been contacting an “undisclosed number of individuals”, notifying them that a selection of personal data may have been exposed after some of the Fortune 500 company’s employees had their email accounts targeted by a phishing campaign, SC Magazine reports.

The personal information includes Social Security numbers, bank account numbers, driver’s license numbers and payment card numbers, but at this stage Fidelity National Financial (FNF) has not revealed how many individuals may have been exposed in the breach, which was caused by a phishing campaign that targeted a ‘small number of employee’s’ email accounts.

Federal law enforcers have been informed, and a third-party security expert has been brought in to scope out the nature and extent of the attack. Steps have also been put in place to stop similar events occurring in the future, including enhanced security on email accounts and information and training available to employees.


Dridex Spreading via Word Docs "Banking Malware"



Cybercriminals using the Dridex banking Trojan to steal sensitive information from Internet users have changed the way they are distributing the malware, according to researchers from Palo Alto Networks.

Dridex, which is a successor of the Cridex/Feodo/Geodo Trojans, was first spotted in July. The threat is used by cybercriminals to obtain the information they need for fraudulent bank transactions.

Until recently, Dridex was mostly distributed via executable files attached to spam emails. However, researchers at Palo Alto Networks noticed that cybercriminals have started delivering the threat with the aid of macros placed inside innocent-looking Microsoft Word documents.



Dridex Spreading via Word Docs "Banking Malware"



Cybercriminals using the Dridex banking Trojan to steal sensitive information from Internet users have changed the way they are distributing the malware, according to researchers from Palo Alto Networks.

Dridex, which is a successor of the Cridex/Feodo/Geodo Trojans, was first spotted in July. The threat is used by cybercriminals to obtain the information they need for fraudulent bank transactions.

Until recently, Dridex was mostly distributed via executable files attached to spam emails. However, researchers at Palo Alto Networks noticed that cybercriminals have started delivering the threat with the aid of macros placed inside innocent-looking Microsoft Word documents.



Phishing Campaign Linked with “Dyre” Banking Malware



Systems Affected

Microsoft Windows
Overview

Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payload(s).[1][2] Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware.

Description

The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors.[3](link is external) Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in unpatched versions of Adobe Reader.[4](link is external)[5](link is external) After successful exploitation, a user's system will download Dyre banking malware. All of the major anti-virus vendors have successfully detected this malware prior to the release of this alert.[6](link is external)

Please note, the below listing of indicators does not represent all characteristics and indicators for this campaign.

Phishing Email Characteristics:
Subject: "Unpaid invoic" (Spelling errors in the subject line are a characteristic of this campaign)
Attachment: Invoice621785.pdf

System Level Indicators (upon successful exploitation):
Copies itself under C:\Windows\[RandomName].exe
Created a Service named "Google Update Service" by setting the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\ImagePath: "C:\WINDOWS\pfdOSwYjERDHrdV.exe"
HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\DisplayName: "Google Update Service"
Impact


A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services.
Solution


Users and administrators are recommended to take the following preventive measures to protect their computer networks from phishing campaigns:
Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks [7] for more information on social engineering attacks.
Use caution when opening email attachments. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams.[8]
Follow safe practices when browsing the web. See Good Security Habits [9]and Safeguarding Your Data [10] for additional details.
Maintain up-to-date anti-virus software.
Keep your operating system and software up-to-date with the latest patches.

US-CERT collects phishing email messages and website locations so that we can help people avoid becoming victims of phishing scams.

You can report phishing to us by sending email to phishing-report@us-cert.gov(link sends e-mail).
References

[1] MITRE Summary of CVE-2013-2729, accessed October 16, 2014
[2] MITRE Summary of CVE-2010-0188, accessed October 16, 2014
[3] New Banking Malware Dyreza, accessed October 16, 2014(link is external)
[4] Adobe Security Updates Addressing CVE-2013-2729, accessed October 16, 2014(link is external)
[5] Adobe Security Updates Addressing CVE-2010-0188, accessed October 16, 2014(link is external)
[6] VirusTotal Analysis, accessed October 16, 2014(link is external)
[7] US-CERT Security Tip (ST04-014) Avoiding Social Engineering and Phishing Attacks
[8]US-CERT Recognizing and Avoiding Email Scams
[9] US-CERT Security Tip (ST04-003) Good Security Habits
[10] US-CERT Security Tip (ST06-008) Safeguarding Your Data
Revisions



October 27, 2014: Initial Release

Phishing Campaign Linked with “Dyre” Banking Malware



Systems Affected

Microsoft Windows
Overview

Since mid-October 2014, a phishing campaign has targeted a wide variety of recipients while employing the Dyre/Dyreza banking malware. Elements of this phishing campaign vary from target to target including senders, attachments, exploits, themes, and payload(s).[1][2] Although this campaign uses various tactics, the actor’s intent is to entice recipients into opening attachments and downloading malware.

Description

The Dyre banking malware specifically targets sensitive user account credentials. The malware has the ability to capture user login information and send the captured data to malicious actors.[3](link is external) Phishing emails used in this campaign often contain a weaponized PDF attachment which attempts to exploit vulnerabilities found in unpatched versions of Adobe Reader.[4](link is external)[5](link is external) After successful exploitation, a user's system will download Dyre banking malware. All of the major anti-virus vendors have successfully detected this malware prior to the release of this alert.[6](link is external)

Please note, the below listing of indicators does not represent all characteristics and indicators for this campaign.

Phishing Email Characteristics:
Subject: "Unpaid invoic" (Spelling errors in the subject line are a characteristic of this campaign)
Attachment: Invoice621785.pdf

System Level Indicators (upon successful exploitation):
Copies itself under C:\Windows\[RandomName].exe
Created a Service named "Google Update Service" by setting the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\ImagePath: "C:\WINDOWS\pfdOSwYjERDHrdV.exe"
HKLM\SYSTEM\CurrentControlSet\Services\googleupdate\DisplayName: "Google Update Service"
Impact


A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services.
Solution


Users and administrators are recommended to take the following preventive measures to protect their computer networks from phishing campaigns:
Do not follow unsolicited web links in email. Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks [7] for more information on social engineering attacks.
Use caution when opening email attachments. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams.[8]
Follow safe practices when browsing the web. See Good Security Habits [9]and Safeguarding Your Data [10] for additional details.
Maintain up-to-date anti-virus software.
Keep your operating system and software up-to-date with the latest patches.

US-CERT collects phishing email messages and website locations so that we can help people avoid becoming victims of phishing scams.

You can report phishing to us by sending email to phishing-report@us-cert.gov(link sends e-mail).
References

[1] MITRE Summary of CVE-2013-2729, accessed October 16, 2014
[2] MITRE Summary of CVE-2010-0188, accessed October 16, 2014
[3] New Banking Malware Dyreza, accessed October 16, 2014(link is external)
[4] Adobe Security Updates Addressing CVE-2013-2729, accessed October 16, 2014(link is external)
[5] Adobe Security Updates Addressing CVE-2010-0188, accessed October 16, 2014(link is external)
[6] VirusTotal Analysis, accessed October 16, 2014(link is external)
[7] US-CERT Security Tip (ST04-014) Avoiding Social Engineering and Phishing Attacks
[8]US-CERT Recognizing and Avoiding Email Scams
[9] US-CERT Security Tip (ST04-003) Good Security Habits
[10] US-CERT Security Tip (ST06-008) Safeguarding Your Data
Revisions



October 27, 2014: Initial Release

Thursday, October 23, 2014

Darrell Issa Smells Another Obama Scandal In Bank Fraud Cases



WASHINGTON -- Congress is out of session and won't be back until Nov. 12. But that isn't stopping House Oversight Committee Chairman Darrell Issa (R-Calif.) from demanding that consumer watchdogs cough up an ocean of paperwork while he's out of town.

Issa has been waging a minor year-long crusade against a handful of Department of Justice investigations into petty consumer fraud. It hasn't caught on the way his probes into Benghazi and Lois Lerner have, but Issa has riled up his fellow House Republicans and issued a report claiming that DOJ's "Operation Choke Point," which seeks to cut off fraudsters from the banking system, is actually a secret Obama administration plot to destroy payday lenders, and maybe firearms dealers and other industries.

So far, Republicans haven't provided any evidence that any bank has ended any relationship with a legitimate firm due to pressure from Obama bureaucrats. But the investigation has created a lot of headaches for people at Justice and the FDIC who want to root out fraud from the financial system.


And now Issa and Rep. Jim Jordan (R-Ohio) appear to have set their sights higher. On Oct. 16, they sent letters to Federal Reserve Chair Janet Yellen and Comptroller of the Currency Thomas Curry claiming to have a new smoking gun, and demanding piles of documents from both agencies.

"The Committee on Oversight and Government Reform continues its oversight of a multiple federal agency initiative forcing banks to terminate the accounts of legal businesses disfavored by the Administration," Issa and Jordan wrote. "A compliance regime that forces banks to sever all relations with legal and legitimate customers is totally unacceptable."

Anti-money laundering laws have long barred banks from moving illegal cash through the financial system. Banks, as a result, have to keep tabs on their customers and make sure they aren't processing payments or harboring cash for organized crime, drug cartels or petty scammers. DOJ's Operation Choke Point focuses on petty fraudsters. Their first case, from January, documented a host of consumer horror stories from people being ripped off by payday lenders and Ponzi schemes. North Carolina's Four Oaks Bank had been giving carte blanche to transactions, even after recognizing a huge volume of suspicious activity, according to details in the lawsuit.

Source and Full Story Here; http://www.huffingtonpost.com/2014/10/23/darrell-issa-payday-lending_n_6037752.html

Darrell Issa Smells Another Obama Scandal In Bank Fraud Cases



WASHINGTON -- Congress is out of session and won't be back until Nov. 12. But that isn't stopping House Oversight Committee Chairman Darrell Issa (R-Calif.) from demanding that consumer watchdogs cough up an ocean of paperwork while he's out of town.

Issa has been waging a minor year-long crusade against a handful of Department of Justice investigations into petty consumer fraud. It hasn't caught on the way his probes into Benghazi and Lois Lerner have, but Issa has riled up his fellow House Republicans and issued a report claiming that DOJ's "Operation Choke Point," which seeks to cut off fraudsters from the banking system, is actually a secret Obama administration plot to destroy payday lenders, and maybe firearms dealers and other industries.

So far, Republicans haven't provided any evidence that any bank has ended any relationship with a legitimate firm due to pressure from Obama bureaucrats. But the investigation has created a lot of headaches for people at Justice and the FDIC who want to root out fraud from the financial system.


And now Issa and Rep. Jim Jordan (R-Ohio) appear to have set their sights higher. On Oct. 16, they sent letters to Federal Reserve Chair Janet Yellen and Comptroller of the Currency Thomas Curry claiming to have a new smoking gun, and demanding piles of documents from both agencies.

"The Committee on Oversight and Government Reform continues its oversight of a multiple federal agency initiative forcing banks to terminate the accounts of legal businesses disfavored by the Administration," Issa and Jordan wrote. "A compliance regime that forces banks to sever all relations with legal and legitimate customers is totally unacceptable."

Anti-money laundering laws have long barred banks from moving illegal cash through the financial system. Banks, as a result, have to keep tabs on their customers and make sure they aren't processing payments or harboring cash for organized crime, drug cartels or petty scammers. DOJ's Operation Choke Point focuses on petty fraudsters. Their first case, from January, documented a host of consumer horror stories from people being ripped off by payday lenders and Ponzi schemes. North Carolina's Four Oaks Bank had been giving carte blanche to transactions, even after recognizing a huge volume of suspicious activity, according to details in the lawsuit.

Source and Full Story Here; http://www.huffingtonpost.com/2014/10/23/darrell-issa-payday-lending_n_6037752.html

Wednesday, October 22, 2014

Microsoft Releases Advisory for Unpatched Windows Vulnerability



Microsoft has released a security advisory to provide recommended mitigations for an unpatched vulnerability, (CVE-2014-6352) which affects all Microsoft Windows releases except Windows Server 2003. This vulnerability could allow an attacker to take control of an affected system if a user opens a specially crafted Microsoft Office file.



US-CERT recommends users and administrators review the Microsoft Security Advisory(link is external) and apply the recommended workarounds.

Microsoft Releases Advisory for Unpatched Windows Vulnerability



Microsoft has released a security advisory to provide recommended mitigations for an unpatched vulnerability, (CVE-2014-6352) which affects all Microsoft Windows releases except Windows Server 2003. This vulnerability could allow an attacker to take control of an affected system if a user opens a specially crafted Microsoft Office file.



US-CERT recommends users and administrators review the Microsoft Security Advisory(link is external) and apply the recommended workarounds.

Friday, October 17, 2014

Apple Releases Security Update - Secure Transport



About Security Update 2014-005

This document describes the security content of Security Update 2014-005.

This update can be downloaded and installed using Software Update or from the Apple Support website.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see Apple Security Updates.
Security Update 2014-005


Secure Transport

Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

Impact: An attacker may be able to decrypt data protected by SSL

Description: There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling CBC cipher suites when TLS connection attempts fail.

CVE-ID

CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of Google Security Team

Note: Security Update 2014-005 includes the security content of OS X bash Update 1.0
Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.

Apple Releases Security Update - Secure Transport



About Security Update 2014-005

This document describes the security content of Security Update 2014-005.

This update can be downloaded and installed using Software Update or from the Apple Support website.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see How to use the Apple Product Security PGP Key.

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see Apple Security Updates.
Security Update 2014-005


Secure Transport

Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

Impact: An attacker may be able to decrypt data protected by SSL

Description: There are known attacks on the confidentiality of SSL 3.0 when a cipher suite uses a block cipher in CBC mode. An attacker could force the use of SSL 3.0, even when the server would support a better TLS version, by blocking TLS 1.0 and higher connection attempts. This issue was addressed by disabling CBC cipher suites when TLS connection attempts fail.

CVE-ID

CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of Google Security Team

Note: Security Update 2014-005 includes the security content of OS X bash Update 1.0
Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website. Please contact the vendor for additional information.

SSL 3.0 Protocol Vulnerability and POODLE Attack



Systems Affected

All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.

Overview

US-CERT is aware of a design vulnerability found in the way SSL 3.0 handles block cipher mode padding. The POODLE attack demonstrates how an attacker can exploit this vulnerability to decrypt and extract information from inside an encrypted transaction.
Description


The SSL 3.0 vulnerability stems from the way blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.

While SSL 3.0 is an old encryption standard and has generally been replaced by Transport Layer Security (TLS) (which is not vulnerable in this way), most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. Even if a client and server both support a version of TLS the SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the “downgrade dance” in other reporting). The POODLE attack leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection failure can then force the use of SSL 3.0 and attempt the new attack. [1]

Two other conditions must be met to successfully execute the POODLE attack: 1) the attacker must be able to control portions of the client side of the SSL connection (varying the length of the input) and 2) the attacker must have visibility of the resulting ciphertext. The most common way to achieve these conditions would be to act as Man-in-the-Middle (MITM), requiring a whole separate form of attack to establish that level of access.

These conditions make successful exploitation somewhat difficult. Environments that are already at above-average risk for MITM attacks (such as public WiFi) remove some of those challenges.
Impact


The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.).
Solution


There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available.

Some of the same researchers that discovered the vulnerability also developed a fix for one of the prerequisite conditions; TLS_FALLBACK_SCSV is a protocol extension that prevents MITM attackers from being able to force a protocol downgrade. OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and recommend the following upgrades: [2]
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

Both clients and servers need to support TLS_FALLBACK_SCSV to prevent downgrade attacks.

Other SSL 3.0 implementations are most likely also affected by POODLE. Contact your vendor for details. Additional vendor information may be available in the National Vulnerability Database (NVD) entry for CVE-2014-3566. [3]
References

[1] This Poodle Bites: Exploiting The SSL Fallback
[2] OpenSSL Security Advisory [15 Oct 2014]
[3] Vulnerability Summary for CVE-2014-3566
Revisions



October 17, 2014 Initial Release

SSL 3.0 Protocol Vulnerability and POODLE Attack



Systems Affected

All systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios.

Overview

US-CERT is aware of a design vulnerability found in the way SSL 3.0 handles block cipher mode padding. The POODLE attack demonstrates how an attacker can exploit this vulnerability to decrypt and extract information from inside an encrypted transaction.
Description


The SSL 3.0 vulnerability stems from the way blocks of data are encrypted under a specific type of encryption algorithm within the SSL protocol. The POODLE attack takes advantage of the protocol version negotiation feature built into SSL/TLS to force the use of SSL 3.0 and then leverages this new vulnerability to decrypt select content within the SSL session. The decryption is done byte by byte and will generate a large number of connections between the client and server.

While SSL 3.0 is an old encryption standard and has generally been replaced by Transport Layer Security (TLS) (which is not vulnerable in this way), most SSL/TLS implementations remain backwards compatible with SSL 3.0 to interoperate with legacy systems in the interest of a smooth user experience. Even if a client and server both support a version of TLS the SSL/TLS protocol suite allows for protocol version negotiation (being referred to as the “downgrade dance” in other reporting). The POODLE attack leverages the fact that when a secure connection attempt fails, servers will fall back to older protocols such as SSL 3.0. An attacker who can trigger a connection failure can then force the use of SSL 3.0 and attempt the new attack. [1]

Two other conditions must be met to successfully execute the POODLE attack: 1) the attacker must be able to control portions of the client side of the SSL connection (varying the length of the input) and 2) the attacker must have visibility of the resulting ciphertext. The most common way to achieve these conditions would be to act as Man-in-the-Middle (MITM), requiring a whole separate form of attack to establish that level of access.

These conditions make successful exploitation somewhat difficult. Environments that are already at above-average risk for MITM attacks (such as public WiFi) remove some of those challenges.
Impact


The POODLE attack can be used against any system or application that supports SSL 3.0 with CBC mode ciphers. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (e.g. OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website (impersonating that user, accessing database content, etc.).
Solution


There is currently no fix for the vulnerability SSL 3.0 itself, as the issue is fundamental to the protocol; however, disabling SSL 3.0 support in system/application configurations is the most viable solution currently available.

Some of the same researchers that discovered the vulnerability also developed a fix for one of the prerequisite conditions; TLS_FALLBACK_SCSV is a protocol extension that prevents MITM attackers from being able to force a protocol downgrade. OpenSSL has added support for TLS_FALLBACK_SCSV to their latest versions and recommend the following upgrades: [2]
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

Both clients and servers need to support TLS_FALLBACK_SCSV to prevent downgrade attacks.

Other SSL 3.0 implementations are most likely also affected by POODLE. Contact your vendor for details. Additional vendor information may be available in the National Vulnerability Database (NVD) entry for CVE-2014-3566. [3]
References

[1] This Poodle Bites: Exploiting The SSL Fallback
[2] OpenSSL Security Advisory [15 Oct 2014]
[3] Vulnerability Summary for CVE-2014-3566
Revisions



October 17, 2014 Initial Release

Thursday, October 16, 2014

KnowBe4 Issues Alert: CryptoWall 2.0 Ransomware Moves to TOR Network



Tampa Bay, FL (PRWEB) October 15, 2014

KnowBe4 issued an alert to IT Managers that a new version of the world's most widespread ransomware CryptoWall has migrated to the TOR network. It has been upgraded to version 2.0, and continues to encrypt files so that a ransom can be extracted if there are no backups or if the backup process fails, often a common occurrence.

KnowBe4 received a panic call from an IT admin who was hit this week with CryptoWall. The admin's workstation became infected with the malware. The workstation was mapped to 7 servers and within an hour, the entire server farm was shut down. The admin explained he had backups but it would take days to recover the data and get them back up and running. The company's operations would be severely impacted.

"The cyber criminals hit pay dirt with this one and the admin ended up paying the ransom, 1.3 Bitcoin, rather than face the serious costs caused by days of downtime, said Stu Sjouwerman, KnowBe4's CEO. "This is the next generation of ransomware and you can expect this new version to spread like wildfire."

KnowBe4 Issues Alert: CryptoWall 2.0 Ransomware Moves to TOR Network



Tampa Bay, FL (PRWEB) October 15, 2014

KnowBe4 issued an alert to IT Managers that a new version of the world's most widespread ransomware CryptoWall has migrated to the TOR network. It has been upgraded to version 2.0, and continues to encrypt files so that a ransom can be extracted if there are no backups or if the backup process fails, often a common occurrence.

KnowBe4 received a panic call from an IT admin who was hit this week with CryptoWall. The admin's workstation became infected with the malware. The workstation was mapped to 7 servers and within an hour, the entire server farm was shut down. The admin explained he had backups but it would take days to recover the data and get them back up and running. The company's operations would be severely impacted.

"The cyber criminals hit pay dirt with this one and the admin ended up paying the ransom, 1.3 Bitcoin, rather than face the serious costs caused by days of downtime, said Stu Sjouwerman, KnowBe4's CEO. "This is the next generation of ransomware and you can expect this new version to spread like wildfire."

OpenSSL Patches Four Vulnerabilities


OpenSSL has released updates patching four vulnerabilities, some of which may allow an attacker to cause a Denial of Service (DoS) condition or execute man-in-the-middle attacks. The following updates are available:
OpenSSL 1.0.1 users should upgrade to 1.0.1j
OpenSSL 1.0.0 users should upgrade to 1.0.0o
OpenSSL 0.9.8 users should upgrade to 0.9.8zc

US-CERT recommends users and administrators review the OpenSSL Security Advisory for additional information and apply the necessary updates.