HP Zero Day Initiative critical on Google seven-day disclosure plan

Google's recent decision to adopt a seven-day security disclosure policy could potentially harm the security landscape by driving firms to distribute patches which aren't properly tested prior to release, according to the head of HP's Zero Day Initiative (ZDI) security programme.

In an interview with V3, HP Security Research ZDI manager Brian Gorenc said that in some cases, large firms who are hit by surprise with a vulnerability report may not have enough time to properly develop and test their fixes prior to the seven day disclosure deadline.

“With larger organisations a seven day timeline is difficult for vendors to implement,” he explained.

“They are having to get samples of the exploit itself and the payloads that come with it.”

The result, he fears, could be patches which are not properly tested and will potentially cause conflicts or performance issues when deployed by administrators that will undermine customer confidence over the long run. ZDI maintains its own timeline policy which, in the case of non-targeted flaws, can hold disclosure for as long as 180 days.

For its part, Google has acknowledged that in some cases seven days may not be enough for a full patch to be developed and released. In announcing the new policy, Google engineers Chris Evans and Drew Hintz noted that other mitigation measures can be taken to protect users from attacks in the wild while a fix is being developed.

“Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information,” the pair noted.

Regardless of their stance on disclosure policies, both Google and ZDI wish to see vendors improve the speed with which they develop and deploy fixes for security vulnerabilities. For Gorenc, a large part of the change should come with how they interact with security researchers who report flaws.

He said that the company has seen success in its recent efforts, such as the Pwn2Own contest in which zero day flaws exposed in the contest are reported directly to vendors and patched quickly with the cooperation of researchers. Additionally, Gorenc hailed Microsoft's MAPP program, which provides security vendors with information needed to address vulnerabilities days prior to patch releases, allowing for even unpatched systems to be protected by security software.

“The most important thing is the vendors work to improve their patching process,” he said.

“I think the communication and information sharing between the researchers and protection communities needs to be a smooth operation.”

US government assembled international target list for cyberattacks

The US government is once again drawing international outcry over its cyber policies, this time over a possible list of international attack targets.

The Guardian has posted a leaked memo said to have come directly from the White House, asking various agencies to assemble a list of cyberattack targets on foreign soil. According to the report, the targets could include both sources of intelligence and vital infrastructure which could be targeted to disable communications or cause real-world damage in targeted regions.

“The United States has an abiding interest in developing and maintaining the use of cyberspace as an integral part of US national capabilities to collect intelligence and to deter interests in peace, crisis or war,” the document reads.

“Given the evolution in US experience, policy capabilities, and understanding of the cyber threat, and in information and communications technology, this directive establishes updated principles and processes as part of an overarching national cyber policy framework.”

The directive then goes on to describe how the government could use Offensive Cyber Effects Operations (OCEO) activities to strike at enemies during possible military operations, potentially allowing cyberwarfare tactics to be utilised alongside conventional tactics.

“OCEO can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging,” the order reads.

“The development and sustainment of OCEO capabilities, however, may require considerable time and effort if access and tools for a specific target do not already exist.”

The US is widely believed to already be involved in cyberattack operations. The government has been accused of working at least in part on the development of the Stuxnet malware families and has been accused by China of trying to compromise millions of its systems.

The leak comes just one day after the US saw its PRISM data collection programme outed to the public. The database includes information collected from top messaging and social networking platforms and has been said to have been accessed by UK authorities as well.

Microsoft prepping just one critical fix for Patch Tuesday

Microsoft is preparing to update a critical flaw in Internet Explorer for its next monthly security update.

The company said that its Patch Tuesday release will include a fix for the remote code execution flaw which is seen as a top security concern in systems ranging from Windows XP to Windows 8 and Internet Explorer versions 6 through 10.

While the exact nature of the vulnerability itself will not be revealed until after Microsoft posts the fix, the company said that if exploited, the flaw could allow an attacker to remotely execute code on a targeted system. Such flaws are commonly targeted by attackers for web-based 'drive by' malware attacks.

Three of the remaining four planned bulletins will address denial of service, elevation of privilege and information disclosure flaws in Windows. All three have been classified by the company as 'important' security priorities.

The fourth fix planned for June will address a remote code execution vulnerability in Microsoft Office classified by Microsoft as an 'important' risk. Such remote code flaws in Office are often considered less than critical because a user would have to be convinced to manually launch an attack file in order to exploit the flaw.

According to Trustwave director of security research Ziv Mador, administrators should not be lulled into a false sense of security by the relatively light patch load this month.

“Just because there is only five bulletins this month doesn’t mean we shouldn’t pay attention to them,” Mador cautioned.

“If you are planning ahead note that four of these bulletins will require a restart after installing and the fifth one might, probably depending on what else you have installed.”

Phishing attack hosted on police site with an SSL certificate

The Malaysian government's Police Portal (Johor Contingent) is currently hosting a phishing attack against PayPal on its secure website https://www.polisjohor.gov.my.Phishing sites using SSL certificates can piggyback on the trust instilled by browser indicators, such as the padlock icon, to trick potential victims into revealing sensitive information such as their username and password.

The SSL certificate used for this phishing attack is irrevocable in some major browsers including Firefox (due to the lack of an OCSP URL in the certificate) and Safari (which doesn't check revocation by default).

Fraudsters often use a compromised third party website to host their phishing attack rather than obtaining web hosting directly. By compromising an existing trusted website the fraudster can avoid paying for a potentially suspicious domain name or SSL certificate himself. For example, registering or obtaining an SSL certificate for paypaal.com could draw unwanted attention if the registrar or SSL certificate authority is already conscious of the risk posed by this type of domain name.
The presence of an SSL certificate on a website hosting a phishing site is far from unusual. In May 2013, Netcraft identified 234trusted SSL certificates on websites with at least one known phishing site. Of these, 67 were issued by Symantec (including the polisjohor.gov.my certificate) which may not besurprising given its leading position in theSSL certificate market. Comodo and Go Daddy had a similar number of such certificates discovered by Netcraft, 42 and 46 respectively. Extended Validation (EV) certificates could be especially valuable to a fraudster asthey are designed explicitly to increase theperceived trustworthiness of websites which have passed the validation process by displaying additional indicators such as green bar. During May 2013, Netcraft identified five EV certificates being used on potentially compromised websites: two signed by Symantecand one each signed by Comodo, DigiCert, andGo Daddy.
The SSL certificate for polisjohor.gov.mywas issued by GeoTrust (a Symantec brand) back in 2011 and is valid for several more months. If Symantec wished to revoke the certificate to make the site inaccessible over HTTPS it could do so by updating its Certificate Revocation List or by providing on-demand OCSP responses noting its revocation. As examined by Netcraft recently, the current treatment of revocation in many major browsers leaves some room for improvement: this certificate does not contain an OCSP URL so is irrevocable in Firefox. Even if the CA wanted to, it could not directly prevent further useof the certificate in Firefox. Safari usersare left unprotected by default as the revocation checking has to be explicitly enabled.
Netcraft offers Phishing alerts to CAs toprovide timely alerts to the CA about potential misuse of a certificate. Having access to timely, professionally validated alerts when phishing attacks occur can allow the CA to provide the first alert of a compromise to the webmaster. Both the CA and the webmaster are then able to respond appropriately tothe potential compromise, safeguarding the reputation of both parties.

China is victim of hacking attacks

China has been the target of serious cyberattacks from the United States, but Beijing has never blamed Washington or the Pentagon because such accusations would be "technically irresponsible", Chinese Internet insiders said. The cyberattacks from the US have been as grave as the ones the US claims China has conducted, they said on Tuesday. China's Internet emergency response agency has tried its best to handle all the US complaints made this year, they said. However, the US never mentioned the alleged Chinese hacking theft of the designs of more than 20 kinds of top US weapons, but instead gave the unverified information directly to the media.

"We have mountains of data, if we wanted to accuse the US, but it's not helpful in solving the problem," said Huang Chengqing, director of the National Computer Network Emergency Response Technical Team/Coordination Center of China, also known as CNCERT.
"The importance of handling Internet security cases keeps rising, but the issue can only be settled through communication, not confrontation."
Huang's remarks came after a slew of reports accusing China of hacking were released in the US this year. High-ranking officials in Washington also pressed Beijing on the issue in recent weeks.
According to CNCERT, in the first five months of this year, 13,408 overseas trojan horses or bot control servers — two popular hacking tools — hijacked around 5.63 million mainframes in China. Of those, 4,062 US-based control servers hijacked 2.91 million mainframes in China.
The US ranked first in both the number of control servers and the number of mainframes controlled in China.
In the same period, websites of 249 important Chinese organizations including government departments, key information systems and research institutions were implanted with backdoor programs. Among them, 54 websites were hijacked by US-based IP addresses for stealing information.
"However, it's hard to judge whether the US government supported or got involved in the hacking. Besides, hackers can easily hide their real location and identities," Huang said.
"So technically it is irresponsible and unfounded for some people to talk about alleged hacking supported by the Chinese authorities."
As for the Washington Post report in late May about Chinese hacking on US weapons, Huang said design information of top-class weapons are usually listed as top national secrets. "Even following the general principle of secret-keeping, it should not have been linked to the Internet."
Huang said his agency has been fighting with hackers. Except for daily work of Internet security monitoring, prewarning and emergency response, CNCERT cut hackers’ remote control on 39.37 million infected mainframes in 2012.
The agency has set up Internet security cooperative relations with 91 organizations in 51 countries and regions.
Huang said a case in March explains the importance of such cooperation. At that time, South Korea suspected that Chinese hackers paralyzed the network of some local media and banks and required assistance from CNCERT. Through joint efforts, it was discovered that the IP address connected to the hacking was in the range of Chinese IP addresses but was actually used by a South Korean bank.
As for cooperation with the US, Huang said in the first four months of this year CNCERT received 32 Internet security cases from the US, among the 227 complaints from abroad.
They handled the US cases in time, except for attempted IP address attacks, which lacked sufficient proof. And they sent feedback to the US on all the cases.
"But they did not mention these efforts, instead they advocated cases that they never let us know about. Some cases can be addressed if they had talked to us, why not let us know? It is not a constructive train of thought to solve problems," Huang said.
"Besides, we have smooth communication at the civil level. I don't understand why all levels of the US government are accusing China of cybersecurity recently. I felt it is driven by some political intentions, though I don't know what the intentions are."
Huang said he noticed the US has kept beefing up its cyberwar forces as it hyped hacking threats from China.
After Mandiant, a Washington-based cybersecurity group, said in a report in February that the People's Liberation Army sponsors hacking, US Cyber Command and National Security Agency chief General Keith Alexander told Congress in March that of the 40 new Cyber Command teams being assembled, 13 would be focused on offensive operations.
Gao Xinmin, vice-chairman of Internet Society of China, said: "The US is much more dependent on the Internet than developing nations, so it is fully understandable that they attach great importance to the issue."
"However, because of the lack of mutual trust, it is easy for some countries to blame hacking on other governments. And driven by some political needs, the dirty water is often poured onto China," Gao said.
The White House has announced that cybersecurity will be high on the agenda of President Xi Jinping's meeting with US President Barack Obama this week in California.
CNCERT's Huang said it is necessary to have multi-level talks, but the most effective way is to "start from the basic level" and beef up communication between frontline agencies, such as emergency response organizations, from relevant countries.