Just
one day after the Heartbleed bug was announced to the world,
researchers spotted an attack exploiting it. Photographer: Jean
Chung/Bloomberg
(Updates with latest data from University of Michigan in fourth graph)
For
those who don't feel the urgency to install the latest security fixes
for their computers, take note: Just a day after Heartbleed was
revealed, attacks from a computer in China were launched.
The
software bug, which affects a widely used form of encryption called
OpenSSL, was announced to the world April 7 at 1:27 p.m. New York time,
according to the Sydney Morning Herald. That sent companies scrambling
to fix their computer systems -- and for good reason.
At 8:23 p.m. the following day, a computer in China that was
previously used for hacking and other malicious activities tried to
attack a server at the University of Michigan, said J. Alex Halderman,
an assistant professor of electrical engineering and computer science.
The university's computer was a "honeypot," which was intentionally left
vulnerable and designed to attract attacks so researchers could study
them.
The hackers' fast turnaround highlights how quickly the
digital underworld is in taking advantage of newly disclosed software
vulnerabilities. So far, 41 attempts to exploit the Heartbleed hole have
been made on three honeypots operated by Halderman and his research
team. About half have come from China. The attacks could include some
attempts by other researchers trying to assess the impact of the bug.
Yahoo
saw some of its user information spilled onto the Internet after
waiting too long to fix the Heartbleed bug in its servers. The company
said that it had fixed the problems on its main properties within 48
hours. It has now fixed the problem across all of its sites.
Jennifer Lynch is a senior staff attorney
with the Electronic Frontier Foundation and works on open government,
transparency and privacy issues, including drones, automatic license
plate readers and facial recognition.
New documents released by
the FBI show that the Bureau is well on its way toward its goal of a
fully operational face recognition database by this summer.
The EFF received these records in response to our Freedom of Information Act lawsuit for information on Next Generation Identification (NGI)—the FBI’s massive biometric database that may hold records on as much as one-third of the US population. The facial recognition component of this database poses real threats to privacy for all Americans.
What is NGI?
NGI builds on the FBI’s legacy fingerprint database—which already
contains well over 100 million individual records—and has been designed
to include multiple forms of biometric data, including palm prints and
iris scans in addition to fingerprints and face recognition data. NGI
combines all these forms of data in each individual’s file, linking them
to personal and biographic data like name, home address, ID number,
immigration status, age, race, etc. This immense database is shared with
other federal agencies and with the approximately 18,000 tribal, state,
and local law enforcement agencies across the United States.
The records we received show that the face recognition component of
NGI may include as many as 52 million face images by 2015. By 2012, NGI
already contained 13.6 million images representing between 7 and 8
million individuals, and by the middle of 2013, the size of the database
increased to 16 million images. The new records reveal that the
database will be capable of processing 55,000 direct photo enrollments
daily and of conducting tens of thousands of searches every day.
NGI will include non-criminal as well as criminal photos
One of our biggest concerns
about NGI has been the fact that it will include non-criminal as well
as criminal face images. We now know that FBI projects that by 2015, the
database will include 4.3 million images taken for non-criminal
purposes.
Currently, if you apply for any type of job that requires
fingerprinting or a background check, your prints are sent to and stored
by the FBI in its civil print database. However, the FBI has never
before collected a photograph along with those prints. This is changing
with NGI. Now an employer could require you to provide a “mug shot”
photo along with your fingerprints. If that’s the case, then the FBI
will store both your face print and your fingerprints along with your
biographic data.
In the past, the FBI has never linked the criminal and non-criminal
fingerprint databases. This has meant that any search of the criminal
print database (such as to identify a suspect or a latent print at a
crime scene) would not touch the non-criminal database. This will also
change with NGI. Now, every record—whether criminal or non—will have a “Universal Control Number” (UCN),
and every search will be run against all records in the database. This
means that even if you have never been arrested for a crime, if your
employer requires you to submit a photo as part of your background
check, your face image could be searched—and you could be implicated as a
criminal suspect—just by virtue of having that image in the
non-criminal file.
Many states are already participating in NGI
The records detail the many states and law enforcement agencies the
FBI has already been working with to build out its database of images (see map below).
By 2012, nearly half of US states had at least expressed an interest in
participating in the NGI pilot program, and several of those states had
already shared their entire criminal mugshot database with the FBI. The
FBI hopes to bring all states online with NGI by this year.
The FBI worked particularly closely with Oregon through a special
project called “Face Report Card.” The goal of the project was to
determine and provide feedback on the quality of the images that states
already have in their databases. Through Face Report Card, examiners
reviewed 14,408 of Oregon’s face images and found significant problems
with image resolution, lighting, background and interference. Examiners
also found that the median resolution of images was “well-below” the
recommended resolution of .75 megapixels (in comparison, newer iPhone cameras are capable of 8 megapixel resolution).
FBI disclaims responsibility for accuracy
At such a low resolution, it is hard to imagine that identification will be accurate.1
However, the FBI has disclaimed responsibility for accuracy, stating
that “[t]he candidate list is an investigative lead, not an
identification.”
Because the system is designed to provide a ranked list of
candidates, the FBI states NGI never actually makes a “positive
identification,” and “therefore, there is no false positive rate.” In
fact, the FBI only ensures that “the candidate will be returned in the
top 50 candidates” 85 percent of the time “when the true candidate
exists in the gallery.”
It is unclear what happens when the “true candidate” does not exist
in the gallery—does NGI still return possible matches? Could those
people then be subject to criminal investigation for no other reason
than that a computer thought their face was mathematically similar to a
suspect’s? This doesn’t seem to matter much to the FBI—the Bureau notes
that because “this is an investigative search and caveats will be
prevalent on the return detailing that the [non-FBI] agency is
responsible for determining the identity of the subject, there should be
NO legal issues.”
Nearly 1 million images will come from unexplained sources
One of the most curious things to come out of these records is the
fact that NGI may include up to one million face images in two
categories that are not explained anywhere in the documents. According
to the FBI, by 2015, NGI may include:
46 million criminal images
4.3 million civil images
215,000 images from the Repository for Individuals of Special Concern (RISC)
750,000 images from a "Special Population Cognizant" (SPC) category
215,000 images from "New Repositories"
However, the FBI does not define either the “Special Population
Cognizant” database or the "new repositories" category. This is a
problem because we do not know what rules govern these categories, where
the data comes from, how the images are gathered, who has access to
them, and whose privacy is impacted.
A 2007 FBI document
available on the Web describes SPC as “a service provided to Other
Federal Organizations (OFOs), or other agencies with special needs by
agreement with the FBI” and notes that “[t]hese SPC Files can be
specific to a particular case or subject set (e.g., gang or terrorist
related), or can be generic agency files consisting of employee
records.” If these SPC files and the images in the "new repositories"
category are assigned a Universal Control Number along with the rest of
the NGI records, then these likely non-criminal records would also be
subject to invasive criminal searches.
Government contractor responsible for NGI has built some of the largest face recognition databases in the world
The company responsible for building NGI’s facial recognition component—MorphoTrust (formerly L-1 Identity Solutions)—is also the company that has built the face recognition systems used by approximately 35 state DMVs and many commercial businesses.2 MorphoTrust built and maintains the face recognition systems for the Department of State, which has the “largest facial recognition system deployed in the world” with more than 244 million records,3 and for the Department of Defense, which shares its records with the FBI.
The FBI failed to release records discussing whether MorphoTrust uses
a standard (likely proprietary) algorithm for its face templates. If it
does, it is quite possible that the face templates at each of these
disparate agencies could be shared across agencies—raising again the
issue that the photograph you thought you were taking just to get a
passport or driver’s license is then searched every time the government
is investigating a crime. The FBI seems to be leaning in this direction:
an FBI employee e-mail notes that the “best requirements for sending an
image in the FR system” include “obtain[ing] DMV version of photo
whenever possible.”
Why should we care about NGI?
There are several reasons to be concerned about this massive
expansion of governmental face recognition data collection. First, as
noted above, NGI will allow law enforcement at all levels to search
non-criminal and criminal face records at the same time. This means you
could become a suspect in a criminal case merely because you applied for
a job that required you to submit a photo with your background check.
Second, the FBI and Congress have thus far failed to enact meaningful
restrictions on what types of data can be submitted to the system, who
can access the data, and how the data can be used. For example, although
the FBI has said in these documents that it will not allow non-mugshot
photos such as images from social networking sites to be saved to the
system, there are no legal or even written FBI policy restrictions in
place to prevent this from occurring. As we have stated before, the Privacy Impact Assessment
for NGI’s face recognition component hasn’t been updated since 2008,
well before the current database was even in development. It cannot
therefore address all the privacy issues impacted by NGI.
Finally, even though the FBI claims that its ranked candidate list
prevents the problem of false positives (someone being falsely
identified), this is not the case. A system that only purports to
provide the true candidate in the top 50 candidates 85 percent of the
time will return a lot of images of the wrong people. We know from researchers that
the risk of false positives increases as the size of the dataset
increases—and at 52 million images, the FBI’s face recognition is a very
large dataset. This means that many people will be presented as
suspects for crimes they didn’t commit. This is not how our system of
justice was designed, and it should not be a system that Americans
tacitly consent to move toward.
For more on our concerns about the increased role of face recognition in criminal and civil contexts, read Jennifer Lynch’s 2012 Senate Testimony. We will continue to monitor the FBI’s expansion of NGI.
Here are the documents:
1In
fact, another document notes that “since the trend for the quality of
data received by the customer is lower and lower quality, specific
research and development plans for low quality submission accuracy
improvement is highly desirable.” 2MorphoTrust’s parent company, Safran Morpho, describes itself as “[t]he world leader in biometric systems” and is largely responsible for implementing India’s Aadhaar project, which will ultimately collect biometric data from nearly 1.2 billion people. 3One could argue that Facebook’s is larger. Facebook states that
its users have uploaded more than 250 billion photos. However, Facebook
never performs face recognition searches on that entire 250 billion
photo database.
Computer hard drive maker LaCie has acknowledged
that a hacker break-in at its online store exposed credit card numbers
and contact information on customers for the better part of the past
year. The disclosure comes almost a month after the breach was first
disclosed by KrebsOnSecurity.
On Mar. 17, 2014, this blog published evidence showing that the Web storefront for French hardware giant LaCie (now owned by Seagate) had been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion
software. In response, Seagate said it had engaged third-party security
firms and that its investigation was ongoing, but that it had found no
indication that any customer data was compromised.
The Lacie.com Web site as listed in the control panel of a botnet of hacked ecommerce sites.
In a statement sent to this reporter on Monday, however, Seagate
allowed that its investigation had indeed uncovered a serious breach.
Seagate spokesman Clive J. Over said the breach may
have exposed credit card transactions and customer information for
nearly a year beginning March 27, 2013. From his email:
“To follow up on my last e-mail to you, I can confirm
that we did find indications that an unauthorized person used the
malware you referenced to gain access to information from customer
transactions made through LaCie’s website.”
“The information that may have been accessed by the unauthorized
person includes name, address, email address, payment card number and
card expiration date for transactions made between March 27, 2013 and
March 10, 2014. We engaged a leading forensic investigation firm, who
conducted a thorough investigation into this matter. As a precaution, we
have temporarily disabled the e-commerce portion of the LaCie website
while we transition to a provider that specializes in secure payment
processing services. We will resume accepting online orders once we have
completed the transition.”
Security and data privacy are extremely important to LaCie, and we
deeply regret that this happened. We are in the process of implementing
additional security measures which will help to further secure our
website. Additionally, we sent notifications to the individuals who may
have been affected in order to inform them of what has transpired and
that we are working closely and cooperatively with the credit card
companies and federal authorities in their ongoing investigation.
It is unclear how many customer records and credit cards may have
been accessed during the time that the site was compromised; Over said
in his email that the company did not have any additional information to
share at this time.
As I noted in a related story last month,
Adobe ColdFusion vulnerabilities have given rise to a number of high
profile attacks in the past. The same attackers who hit LaCie also were
responsible for a breach at jam and jelly maker Smuckers, as well as Alpharetta, Ga. based credit card processor SecurePay.
In February, a hacker in the U.K. was charged with accessing
computers at the Federal Reserve Bank of New York in October 2012 and
stealing names, phone numbers and email addresses using ColdFusion
flaws. According to this Business Week story,
Lauri Love was arrested in connection with a sealed case which claims
that between October 2012 and August 2013, Love hacked into computers
belonging to the U.S. Department of Health and Human Services, the U.S.
Sentencing Commission, Regional Computer Forensics Laboratory and the
U.S. Department of Energy.
According to multiple sources with knowledge of the attackers and
their infrastructure, this is the very same gang responsible for an
impressive spree of high-profile break-ins last year, including:
-An intrusion at Adobe in which the attackers stole credit card data, tens of millions of customer records, and source code for most of Adobe’s top selling software (ColdFusion,Adobe Reader/Acrobat/Photoshop);
-A break-in targeting data brokers LexisNexis, Dun & Bradstreet, and Kroll.
-A hack against the National White Collar Crime Center,
a congressionally-funded non-profit organization that
provides training, investigative support and research to agencies and
entities involved in the prevention, investigation and prosecution of
cybercrime.
INTERNET SEARCH AND ADVERTISING GIANT Google is considering giving websites that use strong encryption preferential placement on its search listings.
Google senior engineer Matt Cutts has hinted at this, having spoken
about about such a move. Cutts was talking at the SMX West conference in
San Jose, California, when website hacking came up and he talked about Google responses to it. He said that rewarding secure websites will save Google time whenever a fresh security panic sweeps the internet, according to Time magazine.
"We don't have the time to maybe hold your hand and walk you through
and show you exactly where it happened," was what he reportedly said at
the SMX event last month. Cutts has also spoken in private about this, the Wall Street Journal reported. Google has remained mute on the topic.
No one is expecting the change to happen anytime soon, however Google
is throwing resources at Heartbleed, which is a much more immediate
issue,
Google is one of the few outfits that had prior knowledge of the
OpenSSL vulnerability, and now, almost a week later, it is still
reacting to it. In an update to its Online Security blog it suggested that some of its users should establish new encryption keys immediately.
"In light of new research on extracting keys using the Heartbleed
bug, we are recommending that Google Compute Engine (GCE) customers
create new keys for any affected SSL services. Google Search Appliance
(GSA) customers should also consider creating new keys after patching
their GSA," it wrote yesterday.
"Engineers are working on a patch for the GSA, and the Google
Enterprise Support Portal will be updated with the patch as soon as it
is available." In March, following PRISM revelations, Google began to step up encryption of its services, and applied extra security to email, searches and servers.
GOOGLE HAS UPDATED its privacy terms and conditions, eroding a little more of its users' privacy.
Google is so far unapologetic about its changes, despite having
created some controversy. The bulk of the responses worry that Google is
now able to read users' emails and scan them for its various purposes.
In its terms and conditions the firm said that its users agree that
information that they submit and share with its systems is all fair
game. Its update, the first since last November, makes the changes very
clear.
"When you upload, or otherwise submit, store, send or receive content
to or through our Services, you give Google (and those we work with) a
worldwide license to use, host, store, reproduce, modify, create
derivative works (such as those resulting from translations, adaptations
or other changes we make so that your content works better with our
Services), communicate, publish, publicly perform, publicly display and
distribute such content," it said.
"The rights you grant in this license are for the limited purpose of
operating, promoting, and improving our Services, and to develop new
ones. This license continues even if you stop using our Services."
That is not a new bit, and that text was present in November. The new addition says that this reach is extending further.
"Our automated systems analyse your content (including emails) to
provide you personally relevant product features, such as customised
search results, tailored advertising, and spam and malware detection,"
it added. "This analysis occurs as the content is sent, received, and
when it is stored."
Google told us that the changes are clarifying, but not really
changing anything. "We want our policies to be simple and easy for users
to understand," it said in a statement.
"These changes will give people even greater clarity and are based on feedback we've received over the last few months."
Last month as she considered a case against Google, US District Court
Judge Lucy Koh explicitly said that many of the search firm's customers
do not appreciate what the firm does with their information.
This would be in line with the view that Google put out in 2013. Then it said that its users should not expect any privacy protection.
Then Consumer Watchdog Privacy Project director John Simpson advised
anyone that wants privacy to look elsewhere for email services.
"Google has finally admitted they don't respect privacy, People
should take them at their word; if you care about your email
correspondents' privacy don't use Gmail," he said.
Defense Secretary Chuck Hagel announced Pentagon efforts to
strengthen its U.S. Cyber Command in coming years. By 2016, the Fort
Meade, Md.-based military command expects to triple its security staff
to 6,000 people, he said.
Hagel revealed the recruitment efforts late last month during a
speech at the National Security Agency's (NSA) headquarters, according
to a March PBS report. In the speech, Hagel also shared that the Pentagon's hiring plans included military and civilian candidates.
By this year's end, Hagel expects the Pentagon's cyber security workforce to stand at 1,800 individuals.
The move comes as the government attempts to thwart cyber espionage
threats from China and elsewhere, as well as other cyber attacks that
threaten national security or economic competitiveness.
In one measure to specifically stave off critical infrastructure attacks, the National Institute of Standards and Technology (NIST) released a cyber security framework to help aid organizations and operators. NIST unveiled the voluntary framework
in February, which was designed to complement organizations' existing
security management programs. The framework was intended to serve as a
guidepost for a range of industries managing integral processes for the
nation, from water treatment facilities and energy companies to the
finance and healthcare sectors.
On Tuesday, Michael Daly, the CTO for Raytheon's cyber business, told
SCMagazine.com that the government would likely have to do a lot of
training, while partnering with private companies and educational
institutions, to fill the demand for such jobs.
“It has to do with having the skills,” Daly said. “I think that when
the jobs are there, the people with the skills are seeking them out and
going after them. What we are seeing is a huge backlog as far as being
able to hire people into these jobs. The number of security jobs have
grown, but these jobs are taking a lot longer to fill.”
Last year, “The 2013 (ISC)2 Global Information Security
Workforce Study," found that, among 12,000 information security
professionals polled, 56 percent said that their organization was in need of more security workers.
In a Tuesday interview, W. Hord Tipton, executive director of training and certifying body (ISC)2,
said that the government sometimes pays as high as 25 percent over the
standard government salary for classified security jobs – but often the
best candidates are lost by the lure of even higher-paying positions in
the private sector.
“You lose your best talent to companies that are willing to pay more,” Tipton said.
When infosec guys are performing intrusion detection, they usually
look for attacks like portscans, buffer overflows and specific exploit
signature. For example, remember OpenSSL heartbleed vulnerability? The following is the snort alert for this vulnerability, taken from the snort community rules: alert tcp $EXTERNAL_NET any -> $HOME_NET
[25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL SSLv3
heartbeat read overrun attempt"; flow:to_server,established;
content:"|18 03 00|"; depth:3; detection_filter:track by_src, count 3,
seconds 1; metadata:policy balanced-ips drop, policy security-ips drop,
ruleset community, service ssl; reference:cve,2014-0160;
classtype:attempted-recon; sid:30510; rev:5;)
When you perform inline detection within electrical SCADA networks,
latency is a big issue. That means you need to fully optimize the amount
of checks so latency does not increase more than 3 ms. We also need to
include other threats that could materialize from other threats
different to malware, exploits and buffer overflows. I will detail in
this diary some specific SCADA protocol packets that could be malicious
traffic and cause terrible consecuences to the process infrastructure.
Today I will detail malicious packets from DNP3 protocol.
The following text details DNP3 packet structure: Source: Practical Industrial Data Communications
Start: This is the starting delimiter of the DNP3 datalink layer. It is always set to 0x564
Length: This is the number of bytes for user data inside the DNP3 packet, plus 5 and does not count CRC bytes.
Control: This is the DNP3 Frame Control Byte, which provides
control of data flow between the master and slave over the physical
link. It identifies the type of the message and the flow direction for
the communication.
Destination: DNP3 outstations are identified by a two-byte address.
These two bytes are the little-endian representation for the outstation
destination address .
Source: These two bytes are the little-endian representation for the outstation source address
CRC: Little-endian representation of the CRC-16 DNP3. This is calculated for each block and placed in the end of it.
Transport control: This DNP3 Frame Control Byte provides control of
data flow between the master and slave in the transport level.
Userdata for block n:
Application Layer: Control byte: Duplicates the control byte in the transport control field.
Application layer: Function code: Defines the function being invocated by the packet
Application layer: structures: Defines the structures being written or queried.
CRC: Little-endian representation of the CRC-16 DNP3 for block n user data.
The following DNP3 functions could be used in a malicious way:
1. DNP3 Warm Restart: When this packet is received by the outstation
and recognize that it comes from the master, it performs a partial
restart on completition of the communications sequence. If this packet
is received several times per second, the IED will experiment a denial
of service and won't be able to perform actions to the industrial
process, send events to the HMI or receive commands from the HMI. A
typical DNP3 Warm Restart packet looks like the following:
The following filters recognize these packets:
2. DNP3 Cold Restart: When this packet is received by the outstation
and recognize that it comes from the master, it performs a full restart
on completition of the communications sequence. If this packet is
received several times per second, the IED will experiment a denial of
service and won't be able to perform actions to the industrial process,
send events to the HMI or receive commands from the HMI. Packet looks
same as previous one with one little change: count three bytes from the
last to the first and change 0E (DNP3 Warm Restart) to 0D (DNP3 Cold
Restart).The following filters recognize these packets:
3. DNP3 Time Change: When this packet is received, the IED or RTU can
change the internal clock time and so orders received with specific
timestamp won't be executed and logs will be placed in other different
places so the operator can't see them in real time. A typical DNP3 Warm
Restart packet looks like the following:
Wireshark can't fully filter this packets so the following tcpdump filter is provided: ip[52]=2 and ip[53]=0x32 and ip[54]=1
SCADA Information Security is different from the regular IT
information security practices. We need to cover the specific vectors to
improve the security level of the associated industrial process.
Since
news of the Target breach broke four months ago, it seems like more and
more data breaches are happening with retailers. Any kind of data
breach is scary and daunting, but when it comes to retail cybersecurity
threats and our financial information being at risk, the threat feels
bigger. When a hacker has found a way into your bank account and taken
your money, the immediate impact is real.
The good news for retailers and consumers is that the National Retail Federation just announced that they are creating an industry information sharing and analysis center (ISAC) for retailers and merchants. What this program will do is “provide
retailers cyber security information from government, law enforcement
agencies, retailers, and partners in the financial services sector.”
This is good news because this can help big and small businesses
protect themselves and their customers from devastating data breaches.
With
the retail community on board with sharing and collaborating on
cybersecurity issues and protocols, they are also stressing the
importance of knowing that there isn’t one solution to keep all
cyber-attacks from being successful, “Implementing robust security
solutions with innovative technologies and information sharing to
protect consumer data and the integrity of our payment systems is a
start, but we will always need to stay one step ahead of these
determined criminals.”
Being proactive and aware of the threats that exist is a critical element in staying secure and protected.
On to the daily roundup...
IT – Gravity 42, Risk 43
The
Galaxy S5 is brand new, but the fingerprint scanner has already been
hacked by the same "fake finger" method which works on iPhones. The
permissions on the Samsung, however, mean this method could work after a
reboot and even let an attacker use PayPal. If you use fingerprint
authentication, keep some backstops in place.goo.gl/m30wiJ Top Targets: Management Software- Orbit Open Ad Server GOVERNMENT – Gravity 19, Risk 21
The
Canadian Revenue Agency reports that 900 taxpayers had their social
insurance numbers exposed in a breach stemming from the infamous
heartbleed exploit. In a statement, the agency said it is analyzing data
to understand that breach. The CRA will notify individuals about the
breach and offer free credit protection. goo.gl/xfyALY Top Targets: Data- Social Insurance Numbers (SINs) FINANCIALS – Gravity 13, Risk 19
The
Bulgarian-based Bitcoin exchange BTC-e went down briefly Sunday after a
DDoS attack on their server. The company made a statement that nothing
was taken and that this DDoS attack was similar to previous attacks and
"not special in anyway". bit.ly/1iT4Mpp Top Targets: Financial Networks- Cryptocurrency exchanges OTHER ORGANIZATIONS – Gravity 10, Risk 14
The
Veterans of Foreign Wars Organization suffered a major data breach
losing approximately 55,000 records to alleged Chinese hackers. The VFM
knew about the breach in early March and informed affected veterans in a
letter.bit.ly/1etFiml Top Targets: Users- Anonymous members CONSUMER GOODS – Gravity 5, Risk 7
The
National Retail Federation, the world’s largest retail trade
association, plans to create an information sharing and analysis center
that will help companies deal with cyber threats in the retail and
merchant industry. It will be developed in partnership with the
Financial Services Information Sharing and Analysis Center. goo.gl/VY6OxF Top Targets: Mobile Device- News Corp. consumers phones UTILITIES – Gravity 1, Risk 6
A
report from Connecticut state utility regulators reveals that electric,
natural gas and water companies and regional distribution systems have
been penetrated by hackers and other cyber attackers, but that defenses
prevented interruption. The report does not specify incidents or
elaborate publicly on security details.goo.gl/Or10Kf Top Targets: Infrastructure- Crucial infrastructure HEALTHCARE – Gravity 1, Risk 3
Personal
details of nearly 500,000 people who sought information about plastic
surgery via the UK's Harley Medical Group’s website were stolen in an
apparent bid to blackmail the company. The stolen details submitted by
potential customers include phone numbers, email address and date of
birth. goo.gl/hkrIXn Top Targets: Patients- La Palma Intercommunity Hospital's patients ENTERTAINMENT – Gravity 2, Risk 2
Three
major record labels are suing Russian social media website vKontakte.
The labels claim the company fosters large scale music piracy. Sony
Music Russia, Universal Music Russia, and Warner Music UK filed suit in
court. The labels claim the site stores a user generated catalogue of
music and has refused to a licensing deal. goo.gl/LtIiVj Top Targets: Web Presence- Tens of pornographic websites INDUSTRIALS – Gravity 1, Risk 2
US
Airways apologized for tweeting an explicit photo in response to a
customer complaint. In a statement, the airline says it was trying to
flag the image but it was mistakenly included. One social media mistake
can harm your brand, especially if you are a small business. Therefore,
managing social media is recommended. goo.gl/k6Gid8 Top Targets: Social Media Accounts- US Airways Twitter account TELECOM – Gravity 1, Risk 1
The
internet is awash with various sites who may have been affected by
heartbleed but very few go into detail about the appropriate mobile
devices. Here is a comprehensive list of what heartbleed means to mobile
devices and apps. Yes, your phone could have been or may be vulnerable
as well. onforb.es/1gWS2wK Top Targets: Users- AT&T Inc. website Apple iPad users ENERGY – Gravity 1, Risk 1
The
New York Times released an article discussing watering hole attacks
aimed at an unknown energy company. Hackers compromised a food takeout
website popular with employees. The compromised website enabled the
hackers to upload malicious code onto the victims computers, giving the
attackers a foothold in the targeted network. goo.gl/sNtody Top Targets: Desktop/Laptops-Oil company private computers MATERIALS – Gravity 0, Risk 0
On
Sunday Anonymous attacked the Monsato Brazil website via a DDoS and
took it offline. This is not the first attack Anonymous has conducted
against Monsato. The hacktivist organization is protesting the use of GE
Trees that they claim poisons land and displaces communities in Latin
America. inagist.com/all/4478...
Security
Research Labs says smartphone makers like Samsung need to implement
biometric technology "in a way that does not put their users' crucial
data and payment accounts at risk."
Well, that didn't take long.
Four days after Samsung released its long-awaited Galaxy S5, security researchers say they've already found a way to hack the smartphone's fingerprint sensor.
In a video
posted Tuesday on YouTube, experts from Security Research Labs
demonstrated an apparent breach of the S5 using similar tactics employed
late last year to bypass the fingerprint lock on Apple's(AAPL, Fortune 500)iPhone 5s.
The group says it used a camera-phone photo of a fingerprint on a
smartphone screen to create a "fake finger" sheet out of a wood-glue
mold. That allowed them to access the S5's home screen and even send
money via the PayPal app, which uses fingerprint authentication.
The cost to build a Samsung Galaxy S5
"Samsung does not seem to have learned from what others have done less poorly," Security Research Labs said.
"Incorporation of fingerprint authentication into highly sensitive apps
such as PayPal gives a would-be attacker an even greater incentive to
learn the simple skill of fingerprint spoofing." Samsung(SSNLF) did not immediately respond to a request for comment.
In a statement Tuesday PayPal said it took the SRL findings "very
seriously," but was "still confident that fingerprint authentication
offers an easier and more secure way to pay on mobile devices than
passwords or credit cards."
The company says it can quickly
deactivate fingerprint keys on lost or stolen devices, and that users
are covered in case of fraud by its purchase protection policy
Canada Revenue Agency (CRA) has reported that the
private information of about 900 people was stolen using the Heartbleed
security bug. Experts are warning that more attacks may occur.
“Based on our analysis to date, Social Insurance Numbers
(SIN) of approximately 900 taxpayers were removed from CRA
systems by someone exploiting the Heartbleed vulnerability,”
the Canadian tax-collection authority said in a statement on Monday. “We are currently going
through the painstaking process of analyzing other fragments of
data, some that may relate to businesses that were also
removed.”
Reportedly, the CRA has so far been the only government agency to
admit the data loss after news about the Heartbleed bug became
public. The flaw was found in OpenSSL software used to encrypt
about two-thirds of websites to secure data. Revealed to the
public on Monday, April 7, the bug was feared to be one of the
most serious security vulnerabilities in years.
The CRA shut its online services for several days last Tuesday.
Unfortunately, it appeared the measure was too slow to prevent
attacks by cyber criminals.
“Regrettably, the CRA has been notified by the Government of
Canada's lead security agencies of a malicious breach of taxpayer
data that occurred over a six-hour period,” the authority
said.
The agency, according to its statement, informed the Privacy
Commissioner of Canada of the breach on Friday and restored
access to its online services on Sunday. However, it waited till
Monday to publically confirm the attack.
The CRA “contacted our office last Friday afternoon to notify
us about the attack and of the measures it was taking to mitigate
risks and notify affected individuals," Valerie Lawton, a
spokesperson for the Privacy Commissioner's Office said in a
written statement, as cited by CBC News. The office latter added
that the tax-collector said that “several hundred
Canadians” had their SINs stolen from the agency's website
as a result of the Heartbleed bug.
The incident also raised questions over the government’s response
to the incident, with researchers in the Canadian online security
community saying that the Heartbleed breach indicated that state
agencies are often not as well equipped as private firms to react
to online threats.
The government “was really slow on this,” Christopher
Parsons, from the Citizen Lab at the Munk School of Global
Affairs at the University of Toronto told CBC.
“If you look at Yahoo, it had begun updating its security
practices prior to the CRA fully taking action. The same thing
with other larger companies. As soon as they saw what was going
on, they immediately reacted and issued public statements,”
he said.
The CRA said in their Monday statement that all those affected by
the breach will receive registered letters as well as get access
to credit protection services at no cost.
“We will apply additional protections to their CRA accounts
to prevent any unauthorized activity,” the authority said.
Meanwhile, a popular British website for parents, Mumsnet, urged
users to change their passwords after the 'Heartbleed bug' had
been used to access data from their accounts.
“On Thursday April 10 we at MNHQ became aware of the bug and
immediately ran tests to see if the Mumsnet servers were
vulnerable. As soon as it became apparent that we were, we
applied the fix to close the OpenSSL security hole (known as the
Heartbleed patch). However, it seems that users' data was
accessed prior to our applying this fix,” Mumsnet said.
The founder of the site, Justine Roberts, told the BBC that her
own username and password were used to post a message online.
According to Roberts, the hackers then told the website’s
administrators that the attack was linked to Heartbleed and that
the company’s data was not safe.
It is not yet clear why the cyber criminals picked the parental
website as their target, as it does not deal with financial or
confidential data. But as FT.com noted, people often use same
passwords and user names on various websites and hackers may have
sought to get those details to use on other sites later.
US bank JP Morgan has increased its budget for
cyber security in reaction to an "unprecedented" threat faced in the
past two years.
In a letter to shareholders last
week, JP Morgan CEO Jamie Dimon said that the firm will spend close to
$250 million (£149 million) on improving "cyber capabilities", up from
$200 million the previous year.
"In our existing
environment and at our company, cybersecurity attacks are becoming
increasingly complex and more dangerous," said Dimon. "The threats are
coming in not just from computer hackers trying to take over our systems
and steal our data but also from highly coordinated external attacks
both directly and via third-party systems."
Last
year, the bank warned 465,000 customers using its prepaid cash cards
that personal information may have been compromised, after it was targeted in a cyber attack. It has also been targeted by hacktivist groups such as the European Cyber Army and Martyr Izz ad-Din al-Qassam Cyber Fighters.
COO
Matt Zames added in a separate letter that the number of attacks the
bank has received from sophisticated criminals in recent years has been
"unprecedented".
"Two years ago we saw a rise in 'denial of service' attacks aimed at disrupting the flow of financial transaction," he said.
"As
the threats continue to grow and attacks continue to evolve, it's
crucial that we evolve as well and focus on tomorrow's threats, as well
as today's."
The investment in cyber security
includes deployment of additional 'monitoring and protection'
technology, as well as expanding the number of dedicated cybersecurity
professional employed at the bank to a total of 600.
The
bank will also build three 'state-of-the-art' Cyber Security Operations
Centers at its regional headquarters to help coordinate responses to
attacks. These will help pull together internal information from systems
monitoring, combining with data from industry and government partners
to offer a comprehensive view of threats.
JP
Morgan's large IT estate includes 300,000 desktops, 58,000 servers in 32
data centres, with 26,000 data bases and 7,250 business applications.
It also has nearly 30,000 programmers, app developers and other IT
employees globally.
What information can you get with a Heartbleed attack?
The Heartbleed attack works by tricking servers into leaking
information stored in their memory. So any information handled by web
servers is potentially vulnerable. That includes passwords, credit card
numbers, medical records, and the contents of private email or social
media messages.
Attackers can also get access
to a server's private encryption key. That could allow the attacker to
unscramble any private messages sent to the server and even impersonate
the server.
Who might take advantage of the Heartbleed Bug?
Broadly speaking, there are two groups of people who might take advantage of Heartbleed: criminals and intelligence agencies.
For criminals, the most likely goal of a Heartbleed attack would be
identity theft. By capturing a user's passwords, credit card numbers,
and other credentials, the criminal could impersonate the user and
engage in fraudulent financial transactions.
Intelligence agencies might have much broader goals. The US National
Security Agency and its counterparts in Russia, China, and other world
powers are constantly looking for opportunities to compromise the
communications of military and civilian targets alike. Bloomberg has reported
that the NSA discovered the Heartbleed Bug at least two years ago and
"regularly used it to gather critical intelligence." The NSA has denied this claim.
The NSA is particularly well-positioned to take advantage of a vulnerability like Heartbleed because it has secret agreements
with major internet service providers allowing it to intercept traffic
as it flows through the internet backbone. If the agency used a
Heartbleed attack to obtain a site's encryption keys, then it could
intercept all of the site's communications even though the site was
using SSL.
It was discovered independently by researchers at Codenomicon and Google Security. Codenomicon created a user-friendly website about the vulnerability, helping to rapidly spread awareness.
To minimize the damage from the disclosure, the researchers worked
with the OpenSSL team and other key insiders to prepare fixes before the
problem was announced publicly.
How did the Heartbleed bug get added to OpenSSL?
The flawed code was added
to the experimental version of SSL at the end of 2011 and released to
the public in March 2012. The flawed software patch was submitted by a
German man named Robin Seggelmann.
"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," he told the Sydney Morning Herald."In one of the new features, unfortunately, I missed validating a variable containing a length."
The submission was reviewed by an OpenSSL developer, but neither man
noticed that the code could be exploited to trick servers into leaking
the contents of memory.
Has anyone actually exploited the Heartbleed vulnerability?
We don't know. Security researchers have built proof-of-concept
software to exploit the Heartbleed Bug. But so far, there have been no
confirmed cases of malicious parties using the bug to steal user data.
However, that doesn't mean it's not happening. For the next few days,
people will be on the lookout for suspicious activity. So hackers who
steal users' passwords, credit card numbers, and other private data
might decide to lie low for a while before trying to take advantage of
this information. And when they do, we might not know if they got the
information through a Heartbleed attack or some other tactic.
SSL, short for Secure Sockets Layer, is a family of encryption
technologies that allows web users to protect the privacy of information
they transmit over the internet.
When you visit a secure website such as Gmail.com, you'll see a lock
next to the URL, indicating that your communications with the site are
encrypted. Here's what that looks like in Google's Chrome browser:
That lock is supposed to signal that third parties won't be able to
read any information you send or receive. Under the hood, SSL
accomplishes that by transforming your data into a coded message that
only the recipient knows how to decipher. If a malicious party is
listening to the conversation, it will only see a seemingly random
string of characters, not the contents of your emails, Facebook posts,
credit card numbers, or other private information.
SSL was introduced by Netscape in 1994. In recent years, there has
been a trend toward major online services to using encryption by
default. Today, Google, Yahoo, and Facebook all use SSL encryption by
default for their websites and online services.
When implemented correctly, SSL is believed to be highly secure. But
in 2014 a number of problems were found in widely used SSL software. In
February, a serious flaw was discovered in Apple's implementation of SSL. The next month a a flaw was found
another SSL implementation that was popular with open source operating
systems. The most serious vulnerability, known as Heartbleed, was discovered in April. It affects OpenSSL, which is installed on a majority of the world's web servers.
What's OpenSSL?
OpenSSL is software that allows computers to communicate using
the SSL encryption standards. It's an open source project created and
maintained by volunteers. First released in 1998, it has become one of
the most popular SSL implementations in the world.
OpenSSL is widely used. One reason for this is that it has been
incorporated into various other software products. For example, two of
the most popular web servers software packages, known as Apache and
nginx, both use OpenSSL to encrypt websites.
OpenSSL project currently lists just 15 active developers
who contribute to the project on a volunteer basis. But not all changes
to the OpenSSL software are written by these 15 people. Rather, these
developers help to filter and organize suggested changes from a larger
community of people who make occasional contributions.
Considering that high-profile commercial software projects
often have dozens or even hundreds of people working on them, it's not
surprising that the OpenSSL team didn't notice the subtle Heartbleed bug
when they introduced a new version of the software in 2012.
How does the heartbleed attack work?
The SSL standard includes a "heartbeat" option, which provides a
way for a computer at one end of the SSL connection to double-check
that there's still someone at the other end of the line. This feature is
useful because some internet routers will drop a connection if it's idle for too long. In a nutshell, the heartbeat protocol works like this:
The heartbeat message has three parts: a request for acknowledgement,
a short, randomly-chosen message (in this case, "banana"), and the
number of characters in that message. The server is simply supposed to
acknowledge having received the request and parrot back the message.
The Heartbleed attack takes advantage of the fact that the server can
be too trusting. When someone tells it that the message has 6
characters, the server automatically sends back 6 characters in
response. A malicious user can take take advantage of the server's
gullibility:
Obviously, the word "giraffe" isn't 100 characters long. But the
server doesn't bother to check before sending back its response, so it
sends back 100 characters. Specifically, it sends back the 7-character
word "giraffe" followed by whichever 93 characters happen to be stored
after the word "giraffe" in the server's memory. Computers often store
information in a haphazard order in an effort to pack them into its
memory as tightly as possible, so there's no telling what information
might be returned. In this case, the bit of memory after the word
"giraffe" contained sensitive personal information belonging to user
John Smith.
In the real Heartbleed attack, the attacker doesn't just ask for 100
characters. The attacker can ask for around 64,000 characters of plain
text. And it doesn't just ask once, it can send malicious heartbeat
messages over and over again, allowing the attacker to get back
different fragments of the server's memory each time. In the process, it
can gain a wealth of data that was never intended to be available to
the public.
The fix for this problem is easy: the server just needs to be less
trusting. Rather than blindly sending back as much data as is requested,
the server needs to check that it's not being asked to send back more
characters than it received in the first place. That's exactly what OpenSSL's fix for the Heartbleed Bug does.
The Heartbleed bug is a serious flaw in OpenSSL, encryption software that powers a lot of secure communications on the web. It was announced by computer security researchers on April 7, 2014.
Here's how it works: the SSL standard includes a heartbeat option,
which allows a computer at one end of an SSL connection to send a short
message to verify that the other computer is still online and get a
response back. Researchers found that it's possible to send a cleverly
formed, malicious heartbeat message that tricks the computer at the
other end into divulging secret information. Specifically, a vulnerable
computer can be tricked into transmitting the contents of the server's
memory, known as RAM.
Ed Felten, a computer scientist at Princeton (and, disclosure, my
former graduate advisor) says that attackers using the technique can
"sort through that information by doing pattern matching to try to find
secret keys, passwords, and personal information like credit card
numbers."
I don't need to explain why exposing passwords and credit card
numbers could be harmful. But exposing secret keys can be even worse.
This is the information servers use to unscramble encrypted information
it receives. If an attacker obtains a server's private keys, it can read
any information sent to it. It may even be able to use the secret key
to impersonate the server, tricking users into divulging their password
and other sensitive information.
SInce the bug was announced, website operators have scrambled to
update their software and take other precautions required to secure
their sites. The precise number of affected websites isn't known, but
the vulnerability is believed to affect a significant fraction of all
secure sites on the web.
Because the Heartbleed attack is generally focused on servers, there
is nothing users can do to protect themselves when using a vulnerable
website. But once a secure website has fixed the problem, it's important
for user to update their software to ensure that previously-captured
passwords are not used for malicious purposes.
What is the Heartbleed Bug?
The Heartbleed bug is a serious flaw in OpenSSL, encryption software that powers a lot of secure communications on the web. It was announced by computer security researchers on April 7, 2014.
Here's how it works: the SSL standard includes a heartbeat option,
which allows a computer at one end of an SSL connection to send a short
message to verify that the other computer is still online and get a
response back. Researchers found that it's possible to send a cleverly
formed, malicious heartbeat message that tricks the computer at the
other end into divulging secret information. Specifically, a vulnerable
computer can be tricked into transmitting the contents of the server's
memory, known as RAM.
Ed Felten, a computer scientist at Princeton (and, disclosure, my
former graduate advisor) says that attackers using the technique can
"sort through that information by doing pattern matching to try to find
secret keys, passwords, and personal information like credit card
numbers."
I don't need to explain why exposing passwords and credit card
numbers could be harmful. But exposing secret keys can be even worse.
This is the information servers use to unscramble encrypted information
it receives. If an attacker obtains a server's private keys, it can read
any information sent to it. It may even be able to use the secret key
to impersonate the server, tricking users into divulging their password
and other sensitive information.
SInce the bug was announced, website operators have scrambled to
update their software and take other precautions required to secure
their sites. The precise number of affected websites isn't known, but
the vulnerability is believed to affect a significant fraction of all
secure sites on the web.
Because the Heartbleed attack is generally focused on servers, there
is nothing users can do to protect themselves when using a vulnerable
website. But once a secure website has fixed the problem, it's important
for user to update their software to ensure that previously-captured
passwords are not used for malicious purposes.
Which websites are affected?
Affected companies
include Tumblr, Google, Yahoo, Intuit (makers of TurboTax), Dropbox,
and Facebook, though all these companies say they've fixed the problem.
Amazon.com was not affected, but Amazon Web Services, which is used by a
huge number of smaller websites, was. Microsoft, PayPal, LinkedIn, and
AOL say they weren't affected. Twitter, eBay, Netflix, and Apple have
not made a clear statement one way or the other.
Most banking and investment sites, including Bank of America, Chase,
E-Trade, Fidelity, PNC, Schwab, US Bank, and Wells Fargo, were not
affected. This might be because these companies use encryption software
other than OpenSSL, or it might be because they haven't been upgrading
to the latest version. Ironically, companies who were running a version
of OpenSSL more than two years old were not affected by the Heartbleed
bug.
While security pros hustle to patch Web sites affected by the
widespread OpenSSL flaw nicknamed Heartbleed, there are indications that
cybercriminals are hoping to beat them to the punch.
A list of
more than 10,000 domains that were vulnerable, patched or unaffected by
the bug was found on Pastebin by Easy Solutions. The fraud prevention
company believes hackers are most likely behind the list.
"A lot
of time what these guys will do is dump a list of inventory on Pastebin,
cut that link and then share the link with their friends on a
(underground) forum," Daniel Ingevaldson, chief technology officer for
Easy Solutions, said. "So, it's essentially a billboard for a service."
Wide-scale
scanning for vulnerable sites is underway across the Internet,
Ingevaldson said. Much of the scanning is being done for legitimate
reasons, while the rest is by hackers looking for potential victims.
"We're
seeing a systematic canvassing of the entire Internet right now to see
what's vulnerable and what isn't," Ingevaldson said. "It's a bit of a
gold rush."
Many free scanning tools are available on the Web to
test sites for the flawed OpenSSL library, which has been in use for
about two years. OpenSSL is the open source implementation of Secure
Sockets Layer, which is used to encrypt communications between a web
browser and server. The vulnerability makes it possible to read the
memory of the server and steal credentials, passwords and other data.
At
least a half million servers, or 17 percent of secure websites, were
reportedly vulnerable, presenting a large target for cybercriminals who
reach the sites before their operators can apply the freely available
patch.
However, finding a vulnerable site is much easier than
exploiting the flaw, experts say. But while it may be fairly difficult
now, hackers share information and toolkits, which may make the task
easier in the future.
Websites are not the only entities
vulnerable to an OpenSSL attack. Cloud-based apps are also potential
targets. Netskope, a cloud app analytics company, has a running tally of vulnerable apps that are used by enterprises. The company's list had reached 100 as of Thursday.
Security
Research Labs says smartphone makers like Samsung need to implement
biometric technology "in a way that does not put their users' crucial
data and payment accounts at risk."
