Monthly Archives: March 2015

Microsoft on Thursday confirmed that Windows is indeed vulnerable to the dreaded FREAK attacks that were reported earlier this week. Microsoft said it was aware of a security feature bypass vulnerability in Secure Channel, or Schannel, that affects all supported versions of Microsoft Windows.

Information security firm IANS has determined the FREAK flaw, which stands for Factoring RSA-Export Keys, can likely be traced back to the U.S. government restrictions from the 1990s that made it illegal to export highly encrypted products overseas.

According to FreakAttack.com, a site dedicated to tracking the impact of the attack and helping users test whether they’re vulnerable, the FREAK attack is possible when a vulnerable browser connects to a susceptible Web server — a server that accepts “export-grade” encryption.

How Far Does this Spread?

“Our investigation has verified that the vulnerability could allow an attacker to force the downgrading of the cipher suites used in an SSL/TLS connection on a Windows client system,” Microsoft reported in a security advisory.

“The vulnerability facilitates exploitation of the publicly disclosed FREAK technique, which is an industry-wide issue that is not specific to Windows operating systems. When this security advisory was originally released, Microsoft had not received any information to indicate that this issue had been publicly used to attack customers.”

Public disclosure of the FREAK vulnerability first occurred March 3, when researchers announced they had discovered the SSL/TLS vulnerability. According to FreakAttack.com, it allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption. That sets the stage for the attacker to steal or manipulate sensitive data.

Until Microsoft’s announcement Thursday, it was believed the vulnerability only affected the Android and Apple’s Safari Web browsers, which rely on OpenSSL to establish secure connections.

Thousands of Web sites are believed affected. FreakAttack.com lists some. A few of the more popular ones are AmericanExpress.com, Groupon.com, NationalGeographic.com, Bloomberg.com and TinyURL.com. As for Microsoft, the company said it was “actively” working with partners in its Microsoft Active Protections Program to provide information they can use to offer broader customer protection.

Just Common Sense

We asked Craig Young, security expert at advanced threat protection firm Tripwire, for his thoughts about FREAK. He told us this is a situation where common sense security goes a long way.

“Windows users should not be particularly concerned about this attack but it would be wise to disable the RSA key exchange ciphers, as Microsoft recommends particularly on systems which are used on public wireless networks,” Young said. “Systems which automatically connect to any open wireless network can be most easily subverted to join an attacker-controlled network where FREAK can be exploited.”

As Young sees it, this entire situation should also be considered in the future when thinking about watering down or adding backdoors to encryption schemes in the name of national security.

Although this is a highly targeted attack, Young said, the attacker must target specific sites with support for export encryption and then spend the effort to crack their 512-bit RSA ephemeral key.

“Also since they key may change periodically as services are restarted, the attacker can have a limited timeframe to successfully man-in-the-middle [attack] a victim,” Young said. “In my opinion, issues like the SuperFish malware are much more concerning for the possibility of highly successful MiTM attacks.”

Via: enterprise-security-today

Crowdsourced driving navigation app Waze is getting a boost from parent company Google at this year’s Mobile World Congress – the free app is now included in the section of apps that make up Google Mobile Services, or the pre-installation software bundle Google offers to smartphone and device OEMs building Android gadgets.

The GMS designation means that Waze can join the likes of Google Maps, Hangouts and Google Drive, to name just a few, as something that appears on Android devices as soon as users power them on. It’s not surprising, given that the app is now fully owned and operated by Google, but the fact that the app actually competes in many ways with Google’s own Maps software does make it an interesting move.

Waze does focus more on real-time turn-by-turn navigation than Maps, however, and expects a lot more in terms of ongoing user input to report hazards, traffic slowdowns and more. And pre-installation is a big deal in terms of engagement, since Waze depends on active users to build its database of real-time traffic and road information, which also then feeds back into the main Google app, providing its more general, casual and sizeable user base with the benefits of all that real-time reporting.

Pre-installation of Waze is now available to both OEMs and carriers, but we’ve yet to see anyone offer it out-of-the-box on new devices just yet. Google has announced that it’s going to be trying out life as a network operator, with limited forays into MVNO territory starting soon, however, so maybe we’ll see one Waze’s parent company also become one of its first pre-installation partners.

Via: techcrunch

Chrome 41 was promoted to the stable channel for Windows, Mac and Linux on Tuesday – the update includes 51 security fixes, several of which are deemed high in severity.

A researcher identified as ‘cloudfuzzer’ earned a total of $15,000 for reporting three separate high severity out-of-bounds write vulnerabilities in skia filters, but the single biggest reward – $7,500 – went to an anonymous researcher who identified a high severity out-of-bounds write vulnerability in media, according to a Tuesday release.

Other high severity vulnerabilities noted in the release include a use-after-free bug in v8 bindings, a type confusion flaw in v8 bindings, a use-after-free vulnerability in DOM, and an integer overflow in WebGL.

The update also includes several new apps/extension APIs, as well as many “under the hood” changes that should improve stability and performance, according to the release.

Via: scmagazine

Experts have discovered a new Android malware campaign that has infected more than 4,000 North American phones in less than a week.

The campaign involves victims receiving an SMS message from a familiar contact that prompts them to click on a link to a site which promises a $200 Amazon gift card, according to a blog post by Yicheng Zhou, security analyst at AdaptiveMobile. To receive the gift card, the recipient is asked to download an APK file from the malicious site.

If downloaded and opened, the app prompts victims to take a survey in order to receive the gift card. As users toil away on tasks to earn the reward, attackers reap the profit through referral traffic. They’re also simultaneously harvesting the victims’ contacts.

More than 16,000 people have clicked the malicious link, said Cathal Mc Daid, head of data intelligence and analytics at AdaptiveMobile, in an interview with SCMagazine.com.

“This malware is just trying to spread on the promise of money payment,” Mc Daid said. “That’s the main difference [between Gazon and other malware]. It’s a better hook for people to actually accept this.”

The ruse also appears to have tricked users around the world, and no anti-virus engines are detecting the malware, AdaptiveMobile reported.

The company has called the attack the “the single largest text-message-initiated mobile malware attack to date on Android.”

“This piece of malware is quite simple,” Mc Daid said. “It’s not doing the more dangerous types of activities, which is probably the reason why it wasn’t being picked up by any of the anti-virus vendors. It’s not doing those other more dangerous things that they normally look for.”

Interestingly, Mc Daid noted, the shortened URL account related to the initial malicious link connects to a legitimate Facebook account. Although he couldn’t reveal the user’s details, Mc Daid did say the user appears to have created shortened links for previous scams, including a WhatsApp spam campaign.

The user’s account and URLs are now disabled. However, Mc Daid said the company has already seen new versions of the attack that demonstrate changes in how the malicious app is executed.

This attack comes amid new research that the number of financial malware attacks against Android users grew by 3.25 times in 2014.

Via: scmagazine

Issues fix to remove crapware’s certificate from the browser’s repository.

Mozilla has released an update to Firefox that erases the self-signed digital certificate implanted by Superfish, the vulnerable adware that blew up in Lenovo’s face a week and a half ago.

The update was issued Friday, Feb. 27.

“We are deploying a hotfix today that detects whether Superfish has been removed, and if so, removes the Superfish root from Firefox,” said Richard Barnes, a Mozilla security engineer, on a company blog. “We do not remove the root certificate if the Superfish software is still installed, since that would prevent the user from accessing any HTTPS websites.”

Lenovo has been vilified by some customers and security experts for bundling the Superfish Visual Discovery adware with its consumer-grade personal computers during a four-month stretch in late 2014. Superfish left a gaping hole in the company’s computers: Hackers were handed ways to intercept and steal critical information, including passwords, that was not properly safeguarded by encryption.

To inject ads into other websites, including those that encrypted traffic, Superfish inserted its own SSL (Secure Socket Layer) certificate, which proved woefully insecure. Users needed to not only uninstall the program, but also delete the Superfish certificate.

Since Firefox uses its own certificate store — unlike other browsers, such as Google’s Chrome and Microsoft’s Internet Explorer, it does not rely on Windows’ own — removing the rogue certificate was difficult for some users.

While Lenovo’s instructions showed how to clean the Firefox certificate store, Barnes said some automated tools did not properly disinfect Mozilla’s browser: hence the emergency update.

Mozilla had been working on the hotfix since Feb. 18, when news first broke about Superfish’s vulnerability to abuse.

Firefox 36 with the hotfix can be downloaded from Mozilla’s website. Current users can manually trigger an update by selecting “About Firefox” from the Firefox menu. Before updating, users should ensure that the Superfish software has already been uninstalled.

Also on Friday, Lenovo pledged to reduce the number of pre-loaded third-party applications on its consumer PCs, saying that it would limit so-called “bloatware” to security software, such as the 30-day trial to McAfee’s antivirus suite that is now added to its systems.

Via: computerworld

In a recent experiment, a white hat hacker was successful 88 percent of the time in visually hacking sensitive information, such as employee access and login credentials, that could put corporate data at risk.

In the 3M Visual Hacking Experiment [PDF], conducted by the Ponemon Institute on behalf of 3M and the Visual Privacy Advisory Council, a security expert entered the offices of eight U.S. companies claiming to be a temporary or part-time worker. The white hat hacker used the following methods to visually hack sensitive information:

• walking through the office scouting for information in full view on desks, screens and other indiscrete locations
  
• taking a stack of business documents labeled as confidential
  
• using his smartphone to take a picture of confidential information displayed on a computer screen
  

All of the above tasks were completed in full view of other office workers. In fully 70 percent of cases, the visual hacker was not stopped by employees, even when using a cell phone to take a photo of data displayed on a screen. When the visual hacker was stopped by an employee, he was still able to obtain an average of 2.8 pieces of company data, compared to 4.3 when not stopped.

“In today’s world of spear phishing, it is important for data security professionals not to ignore low tech threats such as visual hacking,” Ponemon Institute chairman and founder Larry Ponemon said in a statement.

“A hacker often only needs one piece of valuable information to unlock a large-scale data breach,” Ponemon added. “This study exposes both how simple it is for a hacker to obtain sensitive data using only visual means, as well as employee carelessness with company information and lack of awareness to data security threats.”

The study also found that 45 percent of companies were visually hacked in less than 15 minutes, and 63 percent were visually hacked in less than half an hour.

An average of five pieces of information were visually hacked per trial, including employee contact lists (63 percent), customer information (42 percent), corporate financials (37 percent), employee access and login information (37 percent), and information about employees (37 percent).

Fifty-three percent of the sensitive information acquired was obtained from a computer screen, far more than from vacant desks (29 percent), printer bins (9 percent), copiers (6 percent) and fax machines (3 percent) combined.

Open floor plans made visual hacking easier — in companies with an open office layout, an average of 4.4 information types were visually hacked, while companies with a traditional office layout saw an average of 3.0 information types visually hacked.

“Visual privacy is a security issue that is often invisible to senior management, which is why it often goes unaddressed,” Visual Privacy Advisory Council member Mari Frank said in a statement. “This study helps to emphasize the importance of implementing a visual privacy policy, educating employees and contractors about how to be responsible with sensitive data they are handling, as well as equipping high-risk employees with the proper tools, such as privacy filters, to protect information as it is displayed.”

Via: esecurityplanet

Visa Inc. has announced it is expanding the use of new security technology that replaces the traditional 16-digit Visa account number with a unique series of numbers, which is intended to prevent exposure of sensitive consumer account information in online and mobile payments.

“In 2015, Visa will offer secure payments across a wide variety of devices, platforms and apps,” Charlie Scharf, Visa CEO, said in a statement. “In order to enable these innovative new ways to pay, we are deploying smart technologies that help to prevent fraud, while also maintaining consumer and merchant trust in digital commerce.”

In September 2014, Visa launched Visa Token Service, a technology that replaces sensitive payment account information found on plastic cards, such as the 16-digit account number, expiration date and security code, with a unique series of numbers that can authorize payment without exposing actual account details. To date, more than 500 financial institutions have started to implement VTS. In 2015, the service will expand to more payment environments, helping merchants, financial institutions and mobile device manufacturers to offer secure digital payment experiences.

Mobile Devices and Platforms

• Visa Token Service made its commercial debut in October 2014, enabling mobile payments on select Apple devices using Visa accounts through the Apple Pay service.
  
• In 2015 other leading device manufacturers and technology companies will begin deploying Visa Token Service to deliver secure mobile payments through their phones, tablets and other connected devices – expanding the reach of this secure mobile technology to tens of millions of consumers.
  

Mobile Payment Applications

• Visa also plans to tokenize transactions initiated online with Visa Checkout, Visa’s online payment service that allows consumers to complete eCommerce purchases in just a few clicks.
  
• More than 110 merchants globally, including Gap, Gymboree, Neiman Marcus, Orbitz, Pizza Hut and Staples, who have already deployed Visa Checkout, will have the opportunity to benefit from safer transactions using Visa’s token technology.
  
• In 2015 financial institutions globally across Asia Pacific, Latin America and the U.S. will also begin deploying Visa Token Service in support of their mobile payment applications and services.
  

Online Retailers

• Visa is also helping to improve the safety of eCommerce by eliminating the need for online retailers to store payment account information in order to easily fulfill eCommerce purchases. In 2015, Visa expects some of the largest eCommerce merchants to deploy Visa Token Service, using tokens to process consumer eCommerce purchases rather than actual payment account information.
  

“Removing card account numbers from the processing and storage of payments represents one of the most innovative and promising technologies we’ve seen in decades,” said Scharf. “This, combined with chip card technology, advances in account holder authentication through analytics and biometrics, and more sophisticated risk monitoring, will allow Visa account holders to enjoy new, secure payment experiences.”

Via: retailcustomerexperience

According to a recent study, only 18 percent of retail IT security professionals are concerned that cybercriminals are targeting point of sale (PoS) devices installed on their networks, and only 20 percent are “confident” that those same devices are securely configured.

Between July and September 2014, Tripwire conducted a study in which it compared the attitudes of some 276 retail executives and IT security professionals based in the UK and United States, with 431 individuals in the energy and financial industries also surveyed.

Some of the study’s key findings include the following:

• 36 percent of retail executives are “not confident” that their organizations’ network devices are all running only authorized software. Only 25 percent of financial service respondents and 32 percent of energy respondents shared the same concern.
  
• Only 25 percent of retail executives expect to receive additional budget to protect IoT devices, with 59 percent of financial respondents and 52 percent of energy respondents expecting to receive additional budget.
  
• 34 percent of retail executives are “not confident” all the devices on their network are authorised. 18 percent of financial services respondents and 20 percent of energy sector respondents expressed these same doubts.
  

The fact that many IT security professionals in the retail, energy, and financial service industries do not know whether the devices connected to their network are authorized or are running authorized software is deeply concerning, according to Dwayne Melancon, CTO for Tripwire.

“It’s imperative that enterprises establish the ability to continuously monitor their network for unknown devices and applications, validate them against a trusted reference point, and quickly remediate weak or unsafe configurations,” said Melancon. “Standards, machine-to-machine learning, and continuous security configuration management can significantly accelerate progress toward this goal.”

Melancon’s recommendations can assist IT professionals in securing the Internet of Things (IoT). Even so, the challenges of IoT security in many cases extend beyond individuals working in information security.

Another study conducted by Atomik Research on behalf of Tripwire revealed that only a minority of executives in the retail, energy, and financial service industries believe that the risks associated with IoT will become the most significant threats on their networks.

To adequately meet the expanding threat landscape under IoT, security professionals must therefore work to improve the cyber literacy of their organizations’ Board of Directors and executives, as a number of experts in association with Tripwire recommend here.

In the meantime, security professionals can work to improve their organizations’ security with respect to IoT, as Ken Westin, senior security and threat analyst at Tripwire, explains.

“One of the most positive findings is that retail organizations can dramatically improve security by focusing on a few key security fundamentals,” comments Westin. “After all, you can’t keep anything secure if you don’t know it’s on your network.”

For a few recommendations on how security professionals can secure the Internet of Things, click here.

For more information about Tripwire’s recent survey, please click
here.

Via: tripwire

While a statement from Natural Grocers said the company has not received “reports of any fraudulent use of payment cards from any customer, credit card brand or financial institution,” Brian Krebs has reported that sources in the financial industry detected a pattern of payment card fraud that indicates unauthorized access to the point-of-sale (POS) systems at some of the grocery chain’s locations, which led to the distribution of malware.

According to Krebs, Natural Grocers spokespersons have said the company is looking into “a potential data security incident involving an unauthorized intrusion targeting limited customer payment card data.”

That the company “can firmly state what kind of data was not stolen, because they simply do not gather it, is strong evidence of one of the emerging truths of cybersecurity: if you keep something, someone will test your defenses, and if they aren’t perfect, they’ll take whatever you kept,” said Dr. Mike Lloyd, CTO at RedSeal, in a statement sent to SCMagazine.com. “As a result, the new rules say don’t keep it if you don’t need it.”

Only those companies that know “how their business processes really work can hope to successfully defend themselves, and vigilance is essential,” said Lloyd, noting that “humans don’t do this well” and making a plea for automated testing. “If you can find the weaknesses before the bad guys come looking, you can hope to stay ahead.”

Natural Grocers told Krebs that it’s pushing up its efforts to upgrade POS systems in all of its 93 locations in 15 states to be PCI compliant. The new systems not only will offer point-to-point encryption but will also support chip and PIN payment cards, which, the company said in the statement to Krebs, will “provide multiple layers of protection for cardholder data.”

Via: scmagazine

In a play to dominate messaging on phones and the Web, Facebook has acquired WhatsApp for $19 billion.

That’s a stunning sum for the five-year old company. But WhatsApp has been able to hold its weight against messaging heavyweights like Twitter (TWTR), Google (GOOG) and Microsoft’s (MSFT) Skype. WhatsApp has upwards of 450 million users, and it is adding an additional million users every day.

Referring to WhatsApp’s soaring growth, Facebook CEO Mark Zuckerberg said on a conference call, “No one in the history of the world has done anything like that.”

WhatsApp is the most popular messaging app for smartphones, according to OnDevice Research.

Buying WhatsApp will only bolster Facebook’s already strong position in the crowded messaging world. Messenger, Facebook’s a standalone messaging app for mobile devices, is second only to WhatsApp in its share of the smartphone market.

Similar to traditional text messaging, WhatsApp allows people to connect via their cellphone numbers. But instead of racking up texting fees, WhatsApp sends the actual messages over mobile broadband. That makes WhatsApp particularly cost effective for communicating with people overseas.

That kind of mobile messaging services have become wildly popular, with twice as many messages sent over the mobile Internet than via traditional texts, according to Deloitte. But most of the messaging industry’s revenue is still driven by text messaging.

On the conference call, Facebook said it is not looking to drive revenue from WhatsApp in the near term, instead focusing on growth. Zuckerberg said he doesn’t anticipate trying to aggressively grow WhatsApp’s revenue until the service reaches “billions” of users.

WhatsApp currently charges a dollar a year after giving customers their first year of use for free. WhatsApp CEO Jan Koum said on the conference call that WhatsApp’s business model is already successful.

That indicates Facebook bought WhatsApp to add value to its existing messaging services, as well as for the long-term potential of the company.

Facebook bought Instagram for $1 billion in 2012 for similar reasons: As young social network users gravitated towards photo-sharing, Facebook wanted to scoop up what could have eventually become a big rival.

Like Instagram, WhatsApp will function as an autonomous unit within Facebook, with all the existing employees coming in as part of the deal.

Facebook (FB) said it will pay WhatsApp $4 billion in cash and $12 billion in stock. WhatsApp’s founders and staff will be eligible for for another $3 billion in stock grants to be paid out if they remain employed by Facebook for four years. Koum will also join Facebook’s board of directors.

Via: cnn